2.0.0-beta.0

Summary

First beta release of mvc-auth-commons v2 — a major upgrade migrating from Java 8 / javax.servlet to Java 17 / Jakarta Servlet 6.0, with security hardening, deprecated API removal, and
dependency modernization.

---

Included PRs

PR	Description
#152	Upgrade auth0-java to v3
#155	Upgrade java-jwt to v4.5.0
#207	Java 17 + Jakarta migration
#220	Remove deprecated APIs
#221	Migrate ID token validation to auth0-java v3
#223	Add transaction binding security fix
#225	Add JPMS module-info.java support
#231	Transaction-keyed cookies to prevent multi-tab OAuth state race conditions
#234	withHttpClient(Auth0HttpClient) builder method

---

Key Changes

Platform & Dependency Upgrades

• javax.servlet → jakarta.servlet (Jakarta Servlet 6.0)
• Java 17 minimum requirement
• Upgraded:
  • auth0-java → v3.5.1 (AuthAPI.newBuilder() pattern)
  • java-jwt → v4.5.0
  • jwks-rsa → v0.24.1
  • Gradle 8.x

Security Improvements

• HMAC-signed origin domain cookies bound to OAuth state parameter (MCD hardening)
• ID Token signature always verified — no code path allows unverified tokens
• Algorithm auto-detection from token alg header (RS256/HS256)
• Transaction-keyed cookies isolate concurrent login flows (multi-tab fix)

New Features

• withHttpClient(Auth0HttpClient) for custom HTTP client configuration (timeouts, proxies, etc.)
• JPMS module support (com.auth0.mvc.commons)
• ID Token validation delegated to auth0-java v3's IdTokenVerifier

Deprecated API Removal

• handle(HttpServletRequest) → use handle(request, response)
• buildAuthorizeUrl(request, uri) → use 3-parameter version
• InvalidRequestException.getDescription() → use getMessage()
• withHttpOptions(HttpOptions) → use withHttpClient(Auth0HttpClient)
• Removed custom verifier classes: IdTokenVerifier, SignatureVerifier, AsymmetricSignatureVerifier, SymmetricSignatureVerifier, AlgorithmNameVerifier, TokenValidationException
• Removed session-based storage: RandomStorage, SessionUtils

Note: Session (HTTP Session) based state/nonce storage has been replaced with secure transient cookies — the library no longer uses HttpSession for OAuth state management.

---

Breaking Changes

Change	Migration
Java 17 required	Upgrade JDK/runtime
jakarta.servlet namespace	Update imports; use Tomcat 10.1+, Jetty 12+, WildFly 27+
handle(request) removed	Use handle(request, response)
buildAuthorizeUrl(request, uri) removed	Use buildAuthorizeUrl(request, response, uri)
InvalidRequestException.getDescription() removed	Use getMessage()
withHttpOptions(HttpOptions) removed	Use withHttpClient(Auth0HttpClient)
Custom verifier classes removed	No action — handled internally
Session-based storage removed	No action — cookies used automatically

---

Installation

Maven

<dependency>
  <groupId>com.auth0</groupId>
  <artifactId>mvc-auth-commons</artifactId>
  <version>2.0.0-beta.0</version>
</dependency>

Gradle

  implementation 'com.auth0:mvc-auth-commons:2.0.0-beta.0'

---

Test Plan

• All 189 tests passing across 8 test classes (Java 17)
• Verified Code Grant flow (authorize → callback → token exchange)
• Verified Implicit Grant flow (id_token token response type)
• Verified multi-tab login isolation (concurrent state cookies coexist)
• Verified MCD with HMAC-signed origin domain cookies
• Verified MCD + PAR + JAR integration
• Verified withHttpClient(Auth0HttpClient) — single client reused across MCD domains
• Verified legacy cookie fallback for rolling upgrades
• Confirmed v1 branch (master) unaffected

---

Credits
Thank you for the contribution
Updated to JDK 21, gradle 8, fixed tests - #156 by TareqK

1.12.0

Added

• Feat: Added MCD Support #199 (tanya732)

1.11.1

Added

• Updated apache commons package version #165 (tanya732)

1.11.0

Changed

• SDK-4670 Improved state handling errors #140 (jimmyjames)

Security

• Update dependencies for CVE-2023-3635 #137 (jimmyjames)

1.10.0

Full Changelog

** Added**

• Support using organization name #132 (jimmyjames)

1.9.5

Full Changelog

Added

• Support Pushed Authorization Requests #128 (jimmyjames)
• Support configurable cookie path #129 (jimmyjames)

1.9.4

Full Changelog

This patch release does not contain any functional changes, but is being released using an updated signing key for verification as part of our commitment to best security practices.
Please review the README note for additional details.

Security

• Update dependencies #124 (jimmyjames)

1.9.3

Changed

• Update to Gradle 6.9.2 and bump OSS plugin version #113 (jimmyjames)

Security

• Update dependencies #119 (jimmyjames)

1.9.2

Full Changelog

Security

• Update auth0-java dependency #107 (jimmyjames)
• Update OkHttp version #106 (lbalmaceda)

1.9.1

1.9.1 (2022-03-30)

Full Changelog

Security

• Bump transitive jackson dependencies in auth0 libraries #104 (poovamraj)