Release 2.0.0 beta.0

[tanya732]

Summary

First beta release of mvc-auth-commons v2 — a major upgrade migrating from Java 8 / javax.servlet to Java 17 / Jakarta Servlet 6.0, with security hardening, deprecated API removal, and
dependency modernization.

---

Included PRs

PR	Description
#152	Upgrade auth0-java to v3
#155	Upgrade java-jwt to v4.5.0
#207	Java 17 + Jakarta migration
#220	Remove deprecated APIs
#221	Migrate ID token validation to auth0-java v3
#223	Add transaction binding security fix
#225	Add JPMS module-info.java support
#231	Transaction-keyed cookies to prevent multi-tab OAuth state race conditions
#234	withHttpClient(Auth0HttpClient) builder method

---

Key Changes

Platform & Dependency Upgrades

• javax.servlet → jakarta.servlet (Jakarta Servlet 6.0)
• Java 17 minimum requirement
• Upgraded:
  • auth0-java → v3.5.1 (AuthAPI.newBuilder() pattern)
  • java-jwt → v4.5.0
  • jwks-rsa → v0.24.1
  • Gradle 8.x

Security Improvements

• HMAC-signed origin domain cookies bound to OAuth state parameter (MCD hardening)
• ID Token signature always verified — no code path allows unverified tokens
• Algorithm auto-detection from token alg header (RS256/HS256)
• Transaction-keyed cookies isolate concurrent login flows (multi-tab fix)

New Features

• withHttpClient(Auth0HttpClient) for custom HTTP client configuration (timeouts, proxies, etc.)
• JPMS module support (com.auth0.mvc.commons)
• ID Token validation delegated to auth0-java v3's IdTokenVerifier

Deprecated API Removal

• handle(HttpServletRequest) → use handle(request, response)
• buildAuthorizeUrl(request, uri) → use 3-parameter version
• InvalidRequestException.getDescription() → use getMessage()
• withHttpOptions(HttpOptions) → use withHttpClient(Auth0HttpClient)
• Removed custom verifier classes: IdTokenVerifier, SignatureVerifier, AsymmetricSignatureVerifier, SymmetricSignatureVerifier, AlgorithmNameVerifier, TokenValidationException
• Removed session-based storage: RandomStorage, SessionUtils

Note: Session (HTTP Session) based state/nonce storage has been replaced with secure transient cookies — the library no longer uses HttpSession for OAuth state management.

---

Breaking Changes

Change	Migration
Java 17 required	Upgrade JDK/runtime
jakarta.servlet namespace	Update imports; use Tomcat 10.1+, Jetty 12+, WildFly 27+
handle(request) removed	Use handle(request, response)
buildAuthorizeUrl(request, uri) removed	Use buildAuthorizeUrl(request, response, uri)
InvalidRequestException.getDescription() removed	Use getMessage()
withHttpOptions(HttpOptions) removed	Use withHttpClient(Auth0HttpClient)
Custom verifier classes removed	No action — handled internally
Session-based storage removed	No action — cookies used automatically

---

Installation

Maven

<dependency>
  <groupId>com.auth0</groupId>
  <artifactId>mvc-auth-commons</artifactId>
  <version>2.0.0-beta.0</version>
</dependency>

Gradle

implementation 'com.auth0:mvc-auth-commons:2.0.0-beta.0'

---
Test Plan

- All 189 tests passing across 8 test classes (Java 17)
- Verified Code Grant flow (authorize → callback → token exchange)
- Verified Implicit Grant flow (id_token token response type)
- Verified multi-tab login isolation (concurrent state cookies coexist)
- Verified MCD with HMAC-signed origin domain cookies
- Verified MCD + PAR + JAR integration
- Verified withHttpClient(Auth0HttpClient) — single client reused across MCD domains
- Verified legacy cookie fallback for rolling upgrades
- Confirmed v1 branch (master) unaffected