Java-jwt 2 to 3 migration guide?

ss401533 · February 16, 2023, 7:16pm

I need to migrate some legacy code (not written by me) from:

    compile group: 'com.auth0', name: 'java-jwt', version: '2.2.0'

to:

    compile group: 'com.auth0', name: 'java-jwt', version: '4.3.0'

and am unsure about how to replace:

com.auth0.jwt.JWTSigner

with

com.auth0.jwt.JWTVerifier

(assuming that that’s even the right class!).

I have basic knowledge of JWT conceptually, but not previous experience with this library or with the application that is using it.

I valuely see that JWTSigner.Options corresponds to Map<String,Object> claims but am unsure about the correspondence between:

return jwtSigner.sign(claims, options.getOptions());

and

return JWT.require(options.getAlgorithm().getAlgorithm()).build().verify(secret).getPayload()

Can anyone point me to any reading material / code samples etc. that makes it more obvious?

This is useful but not foolproof:

github.com

auth0/java-jwt/blob/master/EXAMPLES.md

# Examples using java-jwt

* [Inspecting a DecodedJWT](#inspecting-a-decodedjwt)
* [DateTime Claim Validation](#datetime-claim-validation)
* [Using custom claims](#using-custom-claims)
* [Using a KeyProvider](#using-a-keyprovider)

## Inspecting a DecodedJWT

The successful verification of a JWT returns a `DecodedJWT`, from which you can obtain its contents.

```java
DecodedJWT jwt = JWT.require(algorithm)
        .build()
        .verify("a.b.c");

// standard claims can be retrieved through first-class methods
String subject = jwt.getSubject();
String aud = jwt.getAudience();
// ...

This file has been truncated. show original