I have been looking at the API code an noticed the use of getSession() in com.auth0.SessionUtils.java. This has implications on the usage of this API in a stateless application cluster. I was planning to run my application with no persistent state on the server side.
My question is, to what extent are you relying on persistent state?
If I turn it off on my app will it stop working when my users are not sent back to the same server instance?
If it is a Java API only (REST API), then there is no need for a persistent state at all. If you have implemented it correctly, you should just be pulling the Access Token out of the Authorization header and validating that Access Token. The validation of this token does not require any state.
If this is a regular web app instead, then you do need to store a state in session so that you can validate the state when your callback is called. Also, people tend to store a returnTo URL so that you can get redirected to your final destination.
So, if you are just an API you should be good, if you are a web app, then you need some common session server side to store your states safely.