Skip to content

Releases: auth0/auth0-java-mvc-common

2.0.0-beta.1

2.0.0-beta.1 Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 15 Jul 08:53
611b3a5

Added

  • Refresh Token Grant (MRRT): AuthenticationController.renewAuth(...) exchanges a refresh token for a new set of tokens, supporting Multi-Resource Refresh Token flows via withAudience()/withScope() #242 (tanya732)
  • Custom Token Exchange (CTE): AuthenticationController.customTokenExchange(...) and loginWithCustomTokenExchange(...) exchange an external subject_token for Auth0 tokens (RFC 8693) #253 (tanya732)
  • Client-Initiated Backchannel Authentication (CIBA): AuthenticationController.backChannelAuthorize(...) and backChannelPoll(...) support the decoupled, app-owned polling flow, with BackChannelAuthorizationException typed helpers (isAuthorizationPending(), isSlowDown(), isExpiredToken(), isAccessDenied()) #254 (tanya732)

Merged via #255.

2.0.0-beta.0

2.0.0-beta.0 Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 29 May 15:39
b17fc88

Summary

First beta release of mvc-auth-commons v2 — a major upgrade migrating from Java 8 / javax.servlet to Java 17 / Jakarta Servlet 6.0, with security hardening, deprecated API removal, and
dependency modernization.


Included PRs

PR Description
#152 Upgrade auth0-java to v3
#155 Upgrade java-jwt to v4.5.0
#207 Java 17 + Jakarta migration
#220 Remove deprecated APIs
#221 Migrate ID token validation to auth0-java v3
#223 Add transaction binding security fix
#225 Add JPMS module-info.java support
#231 Transaction-keyed cookies to prevent multi-tab OAuth state race conditions
#234 withHttpClient(Auth0HttpClient) builder method

Key Changes

Platform & Dependency Upgrades

  • javax.servletjakarta.servlet (Jakarta Servlet 6.0)
  • Java 17 minimum requirement
  • Upgraded:
    • auth0-java → v3.5.1 (AuthAPI.newBuilder() pattern)
    • java-jwt → v4.5.0
    • jwks-rsa → v0.24.1
    • Gradle 8.x

Security Improvements

  • HMAC-signed origin domain cookies bound to OAuth state parameter (MCD hardening)
  • ID Token signature always verified — no code path allows unverified tokens
  • Algorithm auto-detection from token alg header (RS256/HS256)
  • Transaction-keyed cookies isolate concurrent login flows (multi-tab fix)

New Features

  • withHttpClient(Auth0HttpClient) for custom HTTP client configuration (timeouts, proxies, etc.)
  • JPMS module support (com.auth0.mvc.commons)
  • ID Token validation delegated to auth0-java v3's IdTokenVerifier

Deprecated API Removal

  • handle(HttpServletRequest) → use handle(request, response)
  • buildAuthorizeUrl(request, uri) → use 3-parameter version
  • InvalidRequestException.getDescription() → use getMessage()
  • withHttpOptions(HttpOptions) → use withHttpClient(Auth0HttpClient)
  • Removed custom verifier classes: IdTokenVerifier, SignatureVerifier, AsymmetricSignatureVerifier, SymmetricSignatureVerifier, AlgorithmNameVerifier, TokenValidationException
  • Removed session-based storage: RandomStorage, SessionUtils

Note: Session (HTTP Session) based state/nonce storage has been replaced with secure transient cookies — the library no longer uses HttpSession for OAuth state management.


Breaking Changes

Change Migration
Java 17 required Upgrade JDK/runtime
jakarta.servlet namespace Update imports; use Tomcat 10.1+, Jetty 12+, WildFly 27+
handle(request) removed Use handle(request, response)
buildAuthorizeUrl(request, uri) removed Use buildAuthorizeUrl(request, response, uri)
InvalidRequestException.getDescription() removed Use getMessage()
withHttpOptions(HttpOptions) removed Use withHttpClient(Auth0HttpClient)
Custom verifier classes removed No action — handled internally
Session-based storage removed No action — cookies used automatically

Installation

Maven

<dependency>
  <groupId>com.auth0</groupId>
  <artifactId>mvc-auth-commons</artifactId>
  <version>2.0.0-beta.0</version>
</dependency>

Gradle

  implementation 'com.auth0:mvc-auth-commons:2.0.0-beta.0'

Test Plan

  • All 189 tests passing across 8 test classes (Java 17)
  • Verified Code Grant flow (authorize → callback → token exchange)
  • Verified Implicit Grant flow (id_token token response type)
  • Verified multi-tab login isolation (concurrent state cookies coexist)
  • Verified MCD with HMAC-signed origin domain cookies
  • Verified MCD + PAR + JAR integration
  • Verified withHttpClient(Auth0HttpClient) — single client reused across MCD domains
  • Verified legacy cookie fallback for rolling upgrades
  • Confirmed v1 branch (master) unaffected

Credits
Thank you for the contribution
Updated to JDK 21, gradle 8, fixed tests - #156 by TareqK

1.12.0

Choose a tag to compare

@github-actions github-actions released this 09 Apr 10:36
eded367

Added

1.11.1

Choose a tag to compare

@github-actions github-actions released this 12 Sep 13:59
2f49078

Added

1.11.0

Choose a tag to compare

@github-actions github-actions released this 19 Dec 16:59
07fc4ac

Changed

Security

1.10.0

Choose a tag to compare

@jimmyjames jimmyjames released this 18 Jul 20:33
7b4cf23

Full Changelog

** Added**

1.9.5

Choose a tag to compare

@jimmyjames jimmyjames released this 12 May 19:17
93ce224

Full Changelog

Added

1.9.4

Choose a tag to compare

@jimmyjames jimmyjames released this 11 Jan 16:55
97e75d4

Full Changelog

This patch release does not contain any functional changes, but is being released using an updated signing key for verification as part of our commitment to best security practices.
Please review the README note for additional details.

Security

1.9.3

Choose a tag to compare

@auth0-oss auth0-oss released this 26 Oct 13:32
3c39db4

Changed

  • Update to Gradle 6.9.2 and bump OSS plugin version #113 (jimmyjames)

Security

1.9.2

Choose a tag to compare

@jimmyjames jimmyjames released this 11 Apr 23:48

Full Changelog

Security