4.5.0 (2025-01-22)
Added
- Fix jackson vuln #705 (tanya732)
- Fix typo in example code #682 (kasperkarlsson)
- Remove dead README links #676 (jimmyjames)
- Fix typo on a comment in JWTCreator.java #672 (sgc109)
- Remove CircleCI #670 (jimmyjames)
- Empty string audience claim should be deserialized as empty string #663 (jimmyjames)
Fixed
- empty expected audience array should throw InvalidClaimException #679 (jimmyjames)
4.4.0 (2023-03-31)
Changed
- Add support for passing json values for header and payload #643 (andrewrigas)
- Preserve insertion order for claims #656 (snago)
- Update Jackson to 2.14.2 #657 (jimmyjames)
4.3.0 (2023-02-10)
Changed
Fixed
- Fix for exp claim considered valid if equal to now #652 (jimmyjames)
- Code cleanup #642 (CodeDead)
4.2.2 (2023-01-11)
This patch release does not contain any functional changes, but is being released using an updated signing key for verification as part of our commitment to best security practices. Please review the README note for additional details.
4.2.1 (2022-10-24)
Security
- Use latest ship orb #634 (jimmyjames)
- Bump
com.fasterxml.jackson.core:jackson-databind
to 2.13.4.2 #630 (evansims)
4.2.0 (2022-10-19)
Changed
- Re-enable japicmp API diff checking #619 (jimmyjames)
- Update .shiprc to only update lib version in build.gradle #625 (jimmyjames)
- Optimise TokenUtils parsing #611 (noetro)
- Update Circle Ship Orb configuration #616 (frederikprijck)
Fixed
- Update Claim#asString documentation #615 (jimmyjames)
4.1.0 (2022-10-06)
Added
- Add integration with our Shipping orb #612 (frederikprijck)
- Add Ship CLI support #609 (jimmyjames)
- Provide straightforward example for JWKS #600 (poovamraj)
Changed
- Update to gradle 6.9.2 #608 (jimmyjames)
- Update OSS plugin to latest #607 (jimmyjames)
- [SDK-3466] Upgrade Codecov #595 (evansims)
- Update README.md #590 (poovamraj)
Fixed
- Check for null token before splitting #606 (jimmyjames)
- [SDK-3816] Update docs for verification thread-safety #605 (jimmyjames)
4.0.0 (2022-06-24)
This is a major release and contains breaking changes!
- Check the Migration Guide to understand the changes required to migrate your application to v4.
- Predicates based claim verification
- Support for Instant API and Lambda functions
- Improved Exceptions API
- Consistent null handling
See the changelog entries for additional details.
4.0.0-beta.0 (2022-05-06)
💡 Check the Migration Guide to understand the changes required to migrate your application to v4.
Added
- JavaDoc updated #577 (poovamraj)
- Add Migration Guide #576 (jimmyjames)
- Expose claim name and header constants #574 (jimmyjames)
- Added support for multiple checks on a single claim #573 (poovamraj)
- Improved README structure #571 (poovamraj)
- Improved Exception Handling #568 (poovamraj)
- Predicate based Claim verification #562 (poovamraj)
- Add lint checks #561 (poovamraj)
- Support date/time custom claim validation #538 (jimmyjames)
- Add Instant support #537 (jimmyjames)
- Testing Java LTS versions #536 (poovamraj)
Changed
- Null claim handling #564 (poovamraj)
- Undeprecate Single Key Constructor for Algorithms #551 (poovamraj)
- Update documentation and undeprecate single content sign methods #550 (poovamraj)
- Update test deps #539 (jimmyjames)
Deprecated
Removed
- Remove ES256K support #556 (poovamraj)
- Remove impl package export in module-info #553 (poovamraj)
- Remove internal Clock #533 (jimmyjames)
Fixed
- Improve keyprovider reliability #570 (poovamraj)
- Support date/time custom claim validation #538 (jimmyjames)
- Test only change - remove unnecessary throws clause from tests #535 (jimmyjames)
Security
Breaking changes
- Added support for multiple checks on a single claim #573 (poovamraj)
- Improve keyprovider reliability #570 (poovamraj)
- Remove ES256K support #556 (poovamraj)
- Remove impl package export in module-info #553 (poovamraj)
- Fix header claims serialization #549 (jimmyjames)
- Serialize dates in collections as seconds since epoch #534 (jimmyjames)
- Replace com.auth0.jwt.interfaces.Clock with java.time.Clock #532 (jimmyjames)
3.19.2 (2022-05-05)
Security
3.19.1 (2022-03-30)
Security
3.19.0 (2022-03-14)
Deprecated
Fixed
- fix typos in JWTVerifier#verify docstring #526 (OdunlamiZO)
Security
3.18.3 (2022-01-13)
Security
3.18.2 (2021-09-16)
Fixed
- [SDK-2758] Restore withIssuer #513 (jimmyjames)
- [SDK-2751] Serialize audience claim when a List #512 (jimmyjames)
3.18.1 (2021-07-06)
Fixed
- Fix min JDK version regression #504 (lbalmaceda)
3.18.0 (2021-07-05)
Changed
- Update OSS release plugin version #501 (lbalmaceda)
3.17.0 (2021-06-25)
Added
3.16.0 (2021-05-10)
Changed
- Improve Javadoc generation #496 (Marcono1234)
- Add package-info.java for internal
impl
package #495 (Marcono1234)
3.15.0 (2021-04-05)
Changed
- Remove jcenter #482 (jimmyjames)
- Move form commons-codec Base64 to j.u.Base64 #478 (XakepSDK)
3.14.0 (2021-02-26)
Added
- Add withPayload to JWTCreator.Builder #475 (jimmyjames)
3.13.0 (2021-02-05)
Added
- Add ability to verify audience contains at least one of those expected #472 (jimmyjames)
- Add toString to Claim objects [SDK-2225] #469 (jimmyjames)
3.12.1 (2021-01-20)
Changed
- Update jackson-databind to 2.11.0 #464 (darveshsingh)
3.12.0 (2020-12-18)
Changed
Security
- Update jackson-databind to 2.10.5.1 (fixes CVE-2020-25649) #463 (overheadhunter)
Breaking changes
- Target Java 8 #455 (lbalmaceda)
3.11.0 (2020-09-25)
Added
- Add ability to verify claim presence #442 (jimmyjames)
- Add Support for secp256k1 algorithms (AKA ES256K) #439 (jimmyjames)
Fixed
- Fix and document thread-safety #427 (lbalmaceda)
- Wrap IllegalArgumentException into JWTDecodeException #426 (lbalmaceda)
3.10.3 (2020-04-24)
Fixed
- Fixed an NPE on null map and list claims #417 (Vorotyntsev)
3.10.2 (2020-03-27)
Fixed
- JavaDoc fix #413 (jimmyjames)
- Check varargs null values in JWTVerifier #412 (jimmyjames)
3.10.1 (2020-03-13)
Changed
- Update Jackson and Commons Codec dependencies #407 (jimmyjames)
Security
3.10.0 (2020-02-14)
Full Changelog Closed issues
- NullPointerException when the claim doesn't exist in the token #384
Added
- Add Javadoc URL and badge to the README #382 (lbalmaceda)
- Allow to customize the typ header claim #381 (lbalmaceda)
- JWTCreator for basic types #282 (skjolber)
- Support verification of Long[] datatype like in JWTCreator #278 (skjolber)
Changed
- Update to Gradle 6.1.1 #389 (jimmyjames)
Fixed
- Handle missing expected array claim #393 (lbalmaceda)
- Update tests to use valid Base64 URL-encoded tokens #386 (jimmyjames)
3.9.0 (2020-01-02)
Added
- Support serialization of DecodedJWT #370 (jimmyjames)
Fixed
3.8.3 (2019-09-25)
Security
- Fix: updated jackson-databind to 2.10.0.pr3 to block CVE #356 (danbrodsky)
3.8.2 (2019-08-15)
Security
- Fix: updated jackson-databind to 2.9.9.3 to block CVE #347 (danbrodsky)
3.8.1 (2019-05-22)
Security
- Bump dependencies and fix security issue #337 (lbalmaceda)
3.8.0 (2019-03-14)
Added
- Support multiple issuers #246 #288 (itdevelopmentapps)
3.7.0 (2019-01-29)
Added
3.6.0 (2019-01-24)
Added
- Allow to skip "issued at" validation #297 (complanboy2)
3.5.0 (2019-01-03)
Added
- Verify a DecodedJWT #308 (martinoconnor)
Changed
Fixed
- Remove unnecessary cast between long/double and floor call #296 (jhorstmann)
Security
- Bump jackson-databind to patch security issues #309 (lbalmaceda)
3.4.1 (2018-10-24)
Security
- Update jackson-databind dependency #292 (lbalmaceda)
3.4.0 (2018-06-13)
Breaking Changes
- Fix for #236 - refactored HMACAlgorithm so that it doesn't throw an UnsupportedEncodingException #242 (obecker).
Clients using the following methods may need to update their code to not catch an UnsupportedEncodingException
:
public static Algorithm HMAC384(String secret)
public static Algorithm HMAC256(String secret)
public static Algorithm HMAC512(String secret)
Changed
- Throw JWTDecodeException when date claim format is invalid #241 (lbalmaceda)
Security
3.3.0 (2017-11-06)
Full Changelog Closed issues
- Wrong ES256 signature length #187
Fixed
- Rework ECDSA #212 (lbalmaceda)
- Instantiate exception only when required #198 (rumdidumdum)
3.2.0 (2017-05-04)
Full Changelog Closed issues
- Claim.isNull() returns true for JSON Object constructed claims #160
- Incorrectly rejects whitespace after JSON header as invalid #144
- No token type #136
- Timestamps are limited by Integer/int to 2038-01-19T04:14:07.000+0100 #132
Added
- Refactor KeyProvider to receive the "Key Id" #167 (lbalmaceda)
- Add Sign/Verify of Long type claims #157 (vrancic)
- added date validation dedicated exception #155 (Spyna)
- Allow to get a Claim as Map #152 (lbalmaceda)
- Add Algorithm KeyProvider interface #149 (lbalmaceda)
- Instantiate RSA/EC Algorithm with both keys #147 (lbalmaceda)
- Add Key Id setter and set JWT Type after signing #138 (lbalmaceda)
Changed
- Change the JWT.decode() return type to DecodedJWT #150 (lbalmaceda)
Fixed
- Fix Claim.isNull() method for JSON Objects #161 (lbalmaceda)
- Accept blanks, new line and carriage returns on JSON #151 (lbalmaceda)
- Fix Date value conversion #137 (lbalmaceda)
3.1.0 (2017-01-04)
Added
- Make Clock customization accessible for verification #125 (lbalmaceda)
- Add getter for all the Payload's Claims #124 (lbalmaceda)
- Accept Array type on verification and creation. #123 (lbalmaceda)
3.0.2 (2016-12-13)
Fixed
3.0.1 (2016-12-05)
Update to allow sync with Maven Central
3.0.0 (2016-12-05)
Reimplemented java-jwt to improve API and include more signing algorithms
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.0.0</version>
</dependency>
compile 'com.auth0:java-jwt:3.0.0'
The library implements JWT Verification and Signing using the following algorithms:
JWS | Algorithm | Description |
---|---|---|
HS256 | HMAC256 | HMAC with SHA-256 |
HS384 | HMAC384 | HMAC with SHA-384 |
HS512 | HMAC512 | HMAC with SHA-512 |
RS256 | RSA256 | RSASSA-PKCS1-v1_5 with SHA-256 |
RS384 | RSA384 | RSASSA-PKCS1-v1_5 with SHA-384 |
RS512 | RSA512 | RSASSA-PKCS1-v1_5 with SHA-512 |
ES256 | ECDSA256 | ECDSA with curve P-256 and SHA-256 |
ES384 | ECDSA384 | ECDSA with curve P-384 and SHA-384 |
ES512 | ECDSA512 | ECDSA with curve P-521 and SHA-512 |