2.0.0-beta.0
Pre-release
Pre-release
Summary
First beta release of mvc-auth-commons v2 — a major upgrade migrating from Java 8 / javax.servlet to Java 17 / Jakarta Servlet 6.0, with security hardening, deprecated API removal, and
dependency modernization.
Included PRs
| PR | Description |
|---|---|
| #152 | Upgrade auth0-java to v3 |
| #155 | Upgrade java-jwt to v4.5.0 |
| #207 | Java 17 + Jakarta migration |
| #220 | Remove deprecated APIs |
| #221 | Migrate ID token validation to auth0-java v3 |
| #223 | Add transaction binding security fix |
| #225 | Add JPMS module-info.java support |
| #231 | Transaction-keyed cookies to prevent multi-tab OAuth state race conditions |
| #234 | withHttpClient(Auth0HttpClient) builder method |
Key Changes
Platform & Dependency Upgrades
javax.servlet→jakarta.servlet(Jakarta Servlet 6.0)- Java 17 minimum requirement
- Upgraded:
auth0-java→ v3.5.1 (AuthAPI.newBuilder()pattern)java-jwt→ v4.5.0jwks-rsa→ v0.24.1- Gradle 8.x
Security Improvements
- HMAC-signed origin domain cookies bound to OAuth state parameter (MCD hardening)
- ID Token signature always verified — no code path allows unverified tokens
- Algorithm auto-detection from token
algheader (RS256/HS256) - Transaction-keyed cookies isolate concurrent login flows (multi-tab fix)
New Features
withHttpClient(Auth0HttpClient)for custom HTTP client configuration (timeouts, proxies, etc.)- JPMS module support (
com.auth0.mvc.commons) - ID Token validation delegated to
auth0-javav3'sIdTokenVerifier
Deprecated API Removal
handle(HttpServletRequest)→ usehandle(request, response)buildAuthorizeUrl(request, uri)→ use 3-parameter versionInvalidRequestException.getDescription()→ usegetMessage()withHttpOptions(HttpOptions)→ usewithHttpClient(Auth0HttpClient)- Removed custom verifier classes:
IdTokenVerifier,SignatureVerifier,AsymmetricSignatureVerifier,SymmetricSignatureVerifier,AlgorithmNameVerifier,TokenValidationException - Removed session-based storage:
RandomStorage,SessionUtils
Note: Session (HTTP Session) based state/nonce storage has been replaced with secure transient cookies — the library no longer uses
HttpSessionfor OAuth state management.
Breaking Changes
| Change | Migration |
|---|---|
| Java 17 required | Upgrade JDK/runtime |
jakarta.servlet namespace |
Update imports; use Tomcat 10.1+, Jetty 12+, WildFly 27+ |
handle(request) removed |
Use handle(request, response) |
buildAuthorizeUrl(request, uri) removed |
Use buildAuthorizeUrl(request, response, uri) |
InvalidRequestException.getDescription() removed |
Use getMessage() |
withHttpOptions(HttpOptions) removed |
Use withHttpClient(Auth0HttpClient) |
| Custom verifier classes removed | No action — handled internally |
| Session-based storage removed | No action — cookies used automatically |
Installation
Maven
<dependency>
<groupId>com.auth0</groupId>
<artifactId>mvc-auth-commons</artifactId>
<version>2.0.0-beta.0</version>
</dependency>Gradle
implementation 'com.auth0:mvc-auth-commons:2.0.0-beta.0'
Test Plan
- All 189 tests passing across 8 test classes (Java 17)
- Verified Code Grant flow (authorize → callback → token exchange)
- Verified Implicit Grant flow (id_token token response type)
- Verified multi-tab login isolation (concurrent state cookies coexist)
- Verified MCD with HMAC-signed origin domain cookies
- Verified MCD + PAR + JAR integration
- Verified withHttpClient(Auth0HttpClient) — single client reused across MCD domains
- Verified legacy cookie fallback for rolling upgrades
- Confirmed v1 branch (master) unaffected
Credits
Thank you for the contribution
Updated to JDK 21, gradle 8, fixed tests - #156 by TareqK