Skip to content

2.0.0-beta.0

Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 29 May 15:39
b17fc88

Summary

First beta release of mvc-auth-commons v2 — a major upgrade migrating from Java 8 / javax.servlet to Java 17 / Jakarta Servlet 6.0, with security hardening, deprecated API removal, and
dependency modernization.


Included PRs

PR Description
#152 Upgrade auth0-java to v3
#155 Upgrade java-jwt to v4.5.0
#207 Java 17 + Jakarta migration
#220 Remove deprecated APIs
#221 Migrate ID token validation to auth0-java v3
#223 Add transaction binding security fix
#225 Add JPMS module-info.java support
#231 Transaction-keyed cookies to prevent multi-tab OAuth state race conditions
#234 withHttpClient(Auth0HttpClient) builder method

Key Changes

Platform & Dependency Upgrades

  • javax.servletjakarta.servlet (Jakarta Servlet 6.0)
  • Java 17 minimum requirement
  • Upgraded:
    • auth0-java → v3.5.1 (AuthAPI.newBuilder() pattern)
    • java-jwt → v4.5.0
    • jwks-rsa → v0.24.1
    • Gradle 8.x

Security Improvements

  • HMAC-signed origin domain cookies bound to OAuth state parameter (MCD hardening)
  • ID Token signature always verified — no code path allows unverified tokens
  • Algorithm auto-detection from token alg header (RS256/HS256)
  • Transaction-keyed cookies isolate concurrent login flows (multi-tab fix)

New Features

  • withHttpClient(Auth0HttpClient) for custom HTTP client configuration (timeouts, proxies, etc.)
  • JPMS module support (com.auth0.mvc.commons)
  • ID Token validation delegated to auth0-java v3's IdTokenVerifier

Deprecated API Removal

  • handle(HttpServletRequest) → use handle(request, response)
  • buildAuthorizeUrl(request, uri) → use 3-parameter version
  • InvalidRequestException.getDescription() → use getMessage()
  • withHttpOptions(HttpOptions) → use withHttpClient(Auth0HttpClient)
  • Removed custom verifier classes: IdTokenVerifier, SignatureVerifier, AsymmetricSignatureVerifier, SymmetricSignatureVerifier, AlgorithmNameVerifier, TokenValidationException
  • Removed session-based storage: RandomStorage, SessionUtils

Note: Session (HTTP Session) based state/nonce storage has been replaced with secure transient cookies — the library no longer uses HttpSession for OAuth state management.


Breaking Changes

Change Migration
Java 17 required Upgrade JDK/runtime
jakarta.servlet namespace Update imports; use Tomcat 10.1+, Jetty 12+, WildFly 27+
handle(request) removed Use handle(request, response)
buildAuthorizeUrl(request, uri) removed Use buildAuthorizeUrl(request, response, uri)
InvalidRequestException.getDescription() removed Use getMessage()
withHttpOptions(HttpOptions) removed Use withHttpClient(Auth0HttpClient)
Custom verifier classes removed No action — handled internally
Session-based storage removed No action — cookies used automatically

Installation

Maven

<dependency>
  <groupId>com.auth0</groupId>
  <artifactId>mvc-auth-commons</artifactId>
  <version>2.0.0-beta.0</version>
</dependency>

Gradle

  implementation 'com.auth0:mvc-auth-commons:2.0.0-beta.0'

Test Plan

  • All 189 tests passing across 8 test classes (Java 17)
  • Verified Code Grant flow (authorize → callback → token exchange)
  • Verified Implicit Grant flow (id_token token response type)
  • Verified multi-tab login isolation (concurrent state cookies coexist)
  • Verified MCD with HMAC-signed origin domain cookies
  • Verified MCD + PAR + JAR integration
  • Verified withHttpClient(Auth0HttpClient) — single client reused across MCD domains
  • Verified legacy cookie fallback for rolling upgrades
  • Confirmed v1 branch (master) unaffected

Credits
Thank you for the contribution
Updated to JDK 21, gradle 8, fixed tests - #156 by TareqK