The APIs seem quite different and the quick start guide only talks about 0.3.3: Auth0 Spring Boot API SDK Quickstarts: Authorization
Is there any migration guide?
Or is there a new version of the quick start guide I should be using?
Should I be avoiding 1.0.0 until it’s released? (currently only at “release candidate 2”)
The quick start guide and readme file for the auth0-spring-security-api have now been updated to show an example
Note that the 1.+ version upgrade is a major re-write that appears to be strongly tied to the new strict OIDC conformance pipeline. There is no guide for upgrading - if you had to customise/extend the Auth0 code for your project, you will have to re-write those bits of code. You will likely need to write more code for this, the 1.0.+ library is a bit less flexible than 0.3+ (less customisation points, no support for a custom AuthorityStrategy, etc.)
You can get the 0.+ branch working with the OIDC conformant pipeline, but you probably shouldn't - the 1.+ branch has proper support for JWK and means you won't have to deal with downloading/configuring the public certificate yourself.
Note for people using 0.3.3:
If you don't have time to upgrade your custom code for the 1.+ branch and decide to keep using the 0.+ branch and swap to RS256 algorithm, you need to upgrade to version 0.4+ at least (which has no breaking changes).
Version 0.3.3 of the library has a vulnerability where it doesn't validate the issuer field when using the RS256 algorithm (and OIDC conformance requires RS256).