When implementing Passkeys (WebAuthn) in a Spring Security environment that utilizes Spring Session JDBC (or other persistent stores like Redis), serialization failures may occur. These errors typically happen when the application attempts to persist the SecurityContext containing WebAuthn-specific objects to a database. 

Spring Security 7.x

The primary issue stems from the storage of Passkey-related objects (e.g., WebAuthnAuthentication, PublicKeyCredentialRequestOptions) in the SecurityContext.
When an application uses a persistent session store like Spring Session JDBC or Redis, the entire SecurityContext must be serialized to be stored in the database. In Spring Security 6.x and early 7.0 versions these objects, inherited from the webauthn4j library, lacked the necessary infrastructure for serialization.

The 7.1.0 release provides a comprehensive fix to make Passkey support "session-aware" out of the box:

- Core classes like WebAuthnAuthenticationToken and WebAuthnAuthentication now implement Serializable.

- Sub-components, including PublicKeyCredentialRequestOptions, have been updated to support JDK serialization, ensuring the session remains stable across distributed nodes.

- The classes have been aligned with Jackson 3, which is the new default for Spring Security 7.x, ensuring future-proof JSON serialization.

Refer to the release notes, here.