Any upgrade guide for migrating from auth0-spring-security-api v0.3.3 to 1.0.0?

The APIs seem quite different and the quick start guide only talks about 0.3.3: Auth0 Spring Boot API SDK Quickstarts: Authorization

Is there any migration guide?

Or is there a new version of the quick start guide I should be using?

Should I be avoiding 1.0.0 until it’s released? (currently only at “release candidate 2”)

The quick start guide and readme file for the auth0-spring-security-api have now been updated to show an example

Note that the 1.+ version upgrade is a major re-write that appears to be strongly tied to the new strict OIDC conformance pipeline. There is no guide for upgrading - if you had to customise/extend the Auth0 code for your project, you will have to re-write those bits of code. You will likely need to write more code for this, the 1.0.+ library is a bit less flexible than 0.3+ (less customisation points, no support for a custom AuthorityStrategy, etc.)

You can get the 0.+ branch working with the OIDC conformant pipeline, but you probably shouldn't - the 1.+ branch has proper support for JWK and means you won't have to deal with downloading/configuring the public certificate yourself.

Note for people using 0.3.3:

If you don't have time to upgrade your custom code for the 1.+ branch and decide to keep using the 0.+ branch and swap to RS256 algorithm, you need to upgrade to version 0.4+ at least (which has no breaking changes).

Version 0.3.3 of the library has a vulnerability where it doesn't validate the issuer field when using the RS256 algorithm (and OIDC conformance requires RS256).