Blog »

Nimbus JOSE+JWT 9.0

2020-09-10

There is a new major release of the Nimbus JOSE+JWT library. No new features are being added, but there is a breaking change - the JSON Smart dependency is now safely shaded, to prevent potential conflicts in projects with other dependencies on JSON Smart. The credits for this long awaited change go to Toma Velev.

The shading is declared like this in the pom.xml:

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-shade-plugin</artifactId>
    <version>3.2.4</version>
    <configuration>
        <relocations>
            <relocation>
                <pattern>net.minidev.json</pattern>
                <shadedPattern>com.nimbusds.jose.shaded.json</shadedPattern>
            </relocation>
        </relocations>
        <artifactSet>
            <includes>
                <include>net.minidev:json-smart</include>
            </includes>
        </artifactSet>
    </configuration>
    <executions>
        <execution>
            <phase>package</phase>
            <goals>
                <goal>shade</goal>
            </goals>
        </execution>
    </executions>
</plugin>

Upgrading

After the shading classes from the JSON Smart library will no longer appear in the public APIs. If you rely on calls to such classes see the release notes below for how to update your code. Some users may not need any changes at all.

Discussion on the release and back-porting process post v9.0

Josh Cummings from Spring Security started a discussion on how to proceed with releases and back-ports in v8.x and v9.x, you can comment in the thread.

Upgrading the OAuth 2.0 / OpenID Connect SDK

A volunteer opened a ticket to upgrade the OAuth 2.0 SDK. There will likely also be a discussion about shading JSON Smart in the SDK as well.

Release notes

version 9.0 (2020-09-06)

  • Replaces or removes all JSON Smart interfaces and classes from all visible classes and methods in the library. Replaces all net.minidev.json.JSONObject method arguments and return types with java.util.Map<String,Object>. Replaces all net.minidev.json.JSONArray method arguments and return types with java.util.List<Object>. Removes all net.minidev.json.JSONAware interfaces of classes, leaving their toJSONString methods intact.
  • Adds new JSONObjectUtils.toJSONString static methods for serialising a java.util.Map<String,Object> to a JSON object entity.
  • Adds new JSONObjectUtils.newJSONObject static helper method.
  • Adds new JSONArrayUtils.newJSONArray static helper method.
  • Shades the net.minidev:json-smart:1.3.1 dependency.
  • JWK.parse with missing "kty" member must throw ParseException (iss #363).