3.19.0 (2022-03-14)
Deprecated
Fixed
- fix typos in JWTVerifier#verify docstring #526 (OdunlamiZO)
Security
3.18.3 (2022-01-13)
Security
3.18.2 (2021-09-16)
Fixed
- [SDK-2758] Restore withIssuer #513 (jimmyjames)
- [SDK-2751] Serialize audience claim when a List #512 (jimmyjames)
3.18.1 (2021-07-06)
Fixed
- Fix min JDK version regression #504 (lbalmaceda)
3.18.0 (2021-07-05)
Changed
- Update OSS release plugin version #501 (lbalmaceda)
3.17.0 (2021-06-25)
Added
3.16.0 (2021-05-10)
Changed
- Improve Javadoc generation #496 (Marcono1234)
- Add package-info.java for internal
implpackage #495 (Marcono1234)
3.15.0 (2021-04-05)
Changed
- Remove jcenter #482 (jimmyjames)
- Move form commons-codec Base64 to j.u.Base64 #478 (XakepSDK)
3.14.0 (2021-02-26)
Added
- Add withPayload to JWTCreator.Builder #475 (jimmyjames)
3.13.0 (2021-02-05)
Added
- Add ability to verify audience contains at least one of those expected #472 (jimmyjames)
- Add toString to Claim objects [SDK-2225] #469 (jimmyjames)
3.12.1 (2021-01-20)
Changed
- Update jackson-databind to 2.11.0 #464 (darveshsingh)
3.12.0 (2020-12-18)
Changed
Security
- Update jackson-databind to 2.10.5.1 (fixes CVE-2020-25649) #463 (overheadhunter)
Breaking changes
- Target Java 8 #455 (lbalmaceda)
3.11.0 (2020-09-25)
Added
- Add ability to verify claim presence #442 (jimmyjames)
- Add Support for secp256k1 algorithms (AKA ES256K) #439 (jimmyjames)
Fixed
- Fix and document thread-safety #427 (lbalmaceda)
- Wrap IllegalArgumentException into JWTDecodeException #426 (lbalmaceda)
3.10.3 (2020-04-24)
Fixed
- Fixed an NPE on null map and list claims #417 (Vorotyntsev)
3.10.2 (2020-03-27)
Fixed
- JavaDoc fix #413 (jimmyjames)
- Check varargs null values in JWTVerifier #412 (jimmyjames)
3.10.1 (2020-03-13)
Changed
- Update Jackson and Commons Codec dependencies #407 (jimmyjames)
Security
3.10.0 (2020-02-14)
Full Changelog Closed issues
- NullPointerException when the claim doesn't exist in the token #384
Added
- Add Javadoc URL and badge to the README #382 (lbalmaceda)
- Allow to customize the typ header claim #381 (lbalmaceda)
- JWTCreator for basic types #282 (skjolber)
- Support verification of Long[] datatype like in JWTCreator #278 (skjolber)
Changed
- Update to Gradle 6.1.1 #389 (jimmyjames)
Fixed
- Handle missing expected array claim #393 (lbalmaceda)
- Update tests to use valid Base64 URL-encoded tokens #386 (jimmyjames)
3.9.0 (2020-01-02)
Added
- Support serialization of DecodedJWT #370 (jimmyjames)
Fixed
3.8.3 (2019-09-25)
Security
- Fix: updated jackson-databind to 2.10.0.pr3 to block CVE #356 (danbrodsky)
3.8.2 (2019-08-15)
Security
- Fix: updated jackson-databind to 2.9.9.3 to block CVE #347 (danbrodsky)
3.8.1 (2019-05-22)
Security
- Bump dependencies and fix security issue #337 (lbalmaceda)
3.8.0 (2019-03-14)
Added
- Support multiple issuers #246 #288 (itdevelopmentapps)
3.7.0 (2019-01-29)
Added
3.6.0 (2019-01-24)
Added
- Allow to skip "issued at" validation #297 (complanboy2)
3.5.0 (2019-01-03)
Added
- Verify a DecodedJWT #308 (martinoconnor)
Changed
Fixed
- Remove unnecessary cast between long/double and floor call #296 (jhorstmann)
Security
- Bump jackson-databind to patch security issues #309 (lbalmaceda)
3.4.1 (2018-10-24)
Security
- Update jackson-databind dependency #292 (lbalmaceda)
3.4.0 (2018-06-13)
Breaking Changes
- Fix for #236 - refactored HMACAlgorithm so that it doesn't throw an UnsupportedEncodingException #242 (obecker).
Clients using the following methods may need to update their code to not catch an UnsupportedEncodingException:
public static Algorithm HMAC384(String secret)public static Algorithm HMAC256(String secret)public static Algorithm HMAC512(String secret)
Changed
- Throw JWTDecodeException when date claim format is invalid #241 (lbalmaceda)
Security
3.3.0 (2017-11-06)
Full Changelog Closed issues
- Wrong ES256 signature length #187
Fixed
- Rework ECDSA #212 (lbalmaceda)
- Instantiate exception only when required #198 (rumdidumdum)
3.2.0 (2017-05-04)
Full Changelog Closed issues
- Claim.isNull() returns true for JSON Object constructed claims #160
- Incorrectly rejects whitespace after JSON header as invalid #144
- No token type #136
- Timestamps are limited by Integer/int to 2038-01-19T04:14:07.000+0100 #132
Added
- Refactor KeyProvider to receive the "Key Id" #167 (lbalmaceda)
- Add Sign/Verify of Long type claims #157 (vrancic)
- added date validation dedicated exception #155 (Spyna)
- Allow to get a Claim as Map #152 (lbalmaceda)
- Add Algorithm KeyProvider interface #149 (lbalmaceda)
- Instantiate RSA/EC Algorithm with both keys #147 (lbalmaceda)
- Add Key Id setter and set JWT Type after signing #138 (lbalmaceda)
Changed
- Change the JWT.decode() return type to DecodedJWT #150 (lbalmaceda)
Fixed
- Fix Claim.isNull() method for JSON Objects #161 (lbalmaceda)
- Accept blanks, new line and carriage returns on JSON #151 (lbalmaceda)
- Fix Date value conversion #137 (lbalmaceda)
3.1.0 (2017-01-04)
Added
- Make Clock customization accessible for verification #125 (lbalmaceda)
- Add getter for all the Payload's Claims #124 (lbalmaceda)
- Accept Array type on verification and creation. #123 (lbalmaceda)
3.0.2 (2016-12-13)
Fixed
3.0.1 (2016-12-05)
Update to allow sync with Maven Central
3.0.0 (2016-12-05)
Reimplemented java-jwt to improve API and include more signing algorithms
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.0.0</version>
</dependency>compile 'com.auth0:java-jwt:3.0.0'The library implements JWT Verification and Signing using the following algorithms:
| JWS | Algorithm | Description |
|---|---|---|
| HS256 | HMAC256 | HMAC with SHA-256 |
| HS384 | HMAC384 | HMAC with SHA-384 |
| HS512 | HMAC512 | HMAC with SHA-512 |
| RS256 | RSA256 | RSASSA-PKCS1-v1_5 with SHA-256 |
| RS384 | RSA384 | RSASSA-PKCS1-v1_5 with SHA-384 |
| RS512 | RSA512 | RSASSA-PKCS1-v1_5 with SHA-512 |
| ES256 | ECDSA256 | ECDSA with curve P-256 and SHA-256 |
| ES384 | ECDSA384 | ECDSA with curve P-384 and SHA-384 |
| ES512 | ECDSA512 | ECDSA with curve P-521 and SHA-512 |