Release notes 6.00



  • Fixed the invalid PIN length error for PINs longer than 5 digits.



  • Fixed the "unsupported class javax.crypto.spec.IvParameterSpec" exception that was thrown during the Payload Encryption handshake on the Android 8.1 (API 27)



  • Fixed preferred authenticator migration



  • The SDK will not show any root permission dialogs on rooted devices anymore



  • Fixed a bug that corrupted the mobile authentication storage after any SDK update. All users must re-enroll for mobile authentication to fix the storage and mobile authentication functionality.



  • onNextAuthenticationAttempt was called always when the failed attempts is > 0 during push mobile authentication with PIN. If a new mobile authentication request arrives the startAuthentication method must always be called.
  • Fixed a minor cache issue for client configuration.



  • The fingerprint authenticator was not marked as preferred after migrating from Android SDK version 5.x to 6.x in case the user had the fingerprint authenticator registered.



  • Performance improvements



  • Major update of the OkHttp client dependency (from 2.4.0 to latest 3.5.0). The new client is now used in all SDK requests and is also exposed to the end app via the new methods: DeviceClient#getOkHttpClient(), DeviceClient#getAnonymousResourceOkHttpClient(), UserClient#getResourceOkHttpClient(). Old, deprecated methods will now return instance of com.jakewharton.retrofit.Ok3Client for backwards compatibility.
  • The SDK will enable TLS 1.2 support for network calls on older Android 4.X devices, where it's disabled by default.
  • Update of the FIDO SDK to the latest 1.5.0 version.
  • New OneginiClientBuilder#setSecurityController that can be used for disabling root/debug detection.
  • The SDK won't deregister the fingerprint authenticator if fingerprint authentication was canceled by the end-user. Instead it will perform a fallback to PIN authentication.



  • Fixed a cookie store issue, where cookies were never stored even if proper method in OneginiClientBuilder was set.



  • Registration action is now performed with a new OneginiRegistrationRequestHandler.
  • When root or debug is detected before DCR, the SDK will still notify the Token Server about a client abuse.


  • The SDK will return only UserProfiles that were able to finish the registration process. In previous versions when the app was forced to close during the registration action, the SDK could return corrupted profile object as registered.



  • Support for FIDO UAF (Fast IDentity Online) authenticators.


  • The SDK client will store cookies by default (if it wasn't set directly with OneginiClientBuilder#shouldStoreCookies() call).
  • Improved error handling when a user or device gets deregistered on the Token Server side during SDK's runtime.


  • The SDK will throw an IllegalArgumentException when NULL is passed in public methods that require the UserProfile param.
  • Few smaller bug-fixes and improvements.



  • Fixed internal data encryption issue, where the data could be encrypted multiple times when client config has changed.



  • The OneginiClientConfigModel.getMaxPinFailures() was removed. The SDK will use a maximum pin failures limit that's declared in the Token Server configuration
  • Improved root and debug detection
  • The third-party libraries that are used by the Android SDK can now be resolved as transitive dependencies when including the SDK in an application
  • When the user provides a wrong PIN/fingerprint, but his failed attempts limit is not reached yet, he won't get logged out


  • The getPreferredAuthenticator() method will return null if no user is currently authenticated
  • The SDK will return the proper error type DEVICE_DEREGISTERED if the device was deregistered on the Token Server side
  • Fixed Dynamic Client Registration functionality, that could fail if the DCR was performed after device deregistration on the Token Server side
  • The SDK will throw the OneginiInitializationException if internal data decryption will fail due to unrecoverable changes in app client config
  • The SDK will throw the OneginiInitializationException if an optional RequestHandler was not set but it's required to handle an authentication request
  • Other internal bugfixes and improvements



  • Fixed an error when preferred authenticator could not be loaded properly


This is a stable release of the SDK v6.00.00. Main changes between 6.00.00-BETA release and the stable release are described below.


  • Inlined the failed fingerprint attempts with the Android OS. The fingerprint scanner will get automatically blocked by the Android OS. If the fingerprint scanner is blocked (i.e. abuse is detected) the Onegini SDK will revoke fingerprint authentication for the current profile and a fallback to PIN authentication will be triggered
  • The handleAuthorizationCallback method has been renamed into handleRegistrationCallback
  • The package name has been renamed from into
  • The SDK will throw an OneginiInitializationException rather than NullPointerException if it was used without a proper RequestHandler
  • When the user denies a mobile authentication request, the SDK will return an error with the ACTION_CANCELED type
  • New handler class OneginiDeviceAuthenticationHandler for authenticateDevice method
  • All error type values are now inline with error types in the iOS SDK
  • A new AuthenticationAttemptCounter object has been added to several methods in OneginiPinAuthenticationRequestHandler and OneginiMobileAuthenticationPinRequestHandler interfaces
  • All deprecated and/or classes that were not used publicly have been removed
  • The asynchronous method void fetchNotRegisteredAuthenticators has been removed. New synchronous method Set<OneginiAuthenticator> getNotRegisteredAuthenticators has been introduced
  • A new Set<OneginiAuthenticator> getAllAuthenticators method has been introduced
  • The getUser method has been renamed into getOpenIdUserInfo
  • The OneginiAuthenticator interface has new isRegistered and isPreferred convenience methods
  • The OneginiClientBuilder has new setDeviceConfigCacheDurationSeconds method
  • Updated the Google Cloud Messaging library dependency from v8.4.0 to latest v9.6.1


  • Fixed user registration that could not be finished because of internal client config cache
  • The SDK wil not 'hang' when a fingerprint authentication request is received but fingerprint is disabled for the given user
  • Increased the security for mobile authentication by using a stronger hashing algorithm
  • All internal data is being wiped out when the device is deregistered
  • Fixed certificate pinning issues for latest Android Nougat release
  • The SDK will not return an error during the change PIN flow when the user provides a wrong pin but he has more attempts left


This is a BETA release that can still contain bugs and issues. You should not use it for any production releases!


  • Completely redesigned public API to make the SDK easier to use