Spring Security should add support for serialize/deserialize PublicKeyCredentialRequestOptions with ObjectMapper so it is easier to persist with Spring Session.
NOTE: WebauthnJackson2Module is used for reading/writing to the HTTP Response which includes untrusted inputs. This means that it cannot enable default-typing otherwise it could create deserialization vulnerabilities.