smallrye · Jun 17, 2024 · Jul 4, 2024 · Jul 18, 2024 · Aug 13, 2024 · Aug 14, 2024
diff --git a/.github/project.yml b/.github/project.yml
@@ -1,4 +1,4 @@
 name: SmallRye JWT
 release:
-  current-version: 4.5.3
-  next-version: 4.5.4-SNAPSHOT
+  current-version: 4.6.1
+  next-version: 4.6.2-SNAPSHOT
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -4,7 +4,6 @@ on:
   push:
     branches:
       - main
-      - jakarta
     paths-ignore:
       - '.gitignore'
       - 'CODEOWNERS'
@@ -28,21 +27,24 @@ jobs:
     name: build with jdk ${{matrix.java}}
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         name: checkout
 
-      - uses: actions/setup-java@v1
+      - uses: actions/setup-java@v4
         name: set up jdk ${{matrix.java}}
         with:
+          distribution: 'temurin'
           java-version: ${{matrix.java}}
+          cache: 'maven'
+          cache-dependency-path: '**/pom.xml'
 
       - name: build with maven
         run: mvn -B formatter:validate verify --file pom.xml
 
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@v4
         name: tck-report
         with:
-          name: tck-report
+          name: tck-report-java-${{matrix.java}}
           path: testsuite/tck/target/surefire-reports
 
   build-windows:
@@ -53,13 +55,16 @@ jobs:
     name: build with jdk ${{matrix.java}} windows
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         name: checkout
 
-      - uses: actions/setup-java@v1
+      - uses: actions/setup-java@v4
         name: set up jdk ${{matrix.java}}
         with:
+          distribution: 'temurin'
           java-version: ${{matrix.java}}
+          cache: 'maven'
+          cache-dependency-path: '**/pom.xml'
 
       - name: build with maven
         run: mvn -B formatter:validate verify --file pom.xml
@@ -71,15 +76,27 @@ jobs:
     name: quality
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: actions/setup-java@v1
+
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 11
+          cache: 'maven'
+          cache-dependency-path: '**/pom.xml'
+
+      - name: build with docs and coverage
+        run: mvn verify -Pcoverage javadoc:javadoc
+
+      - uses: actions/setup-java@v4
         with:
+          distribution: 'temurin'
           java-version: 17
 
       - name: sonar
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
           SONAR_TOKEN: ${{secrets.SONAR_TOKEN}}
-        run: mvn -B verify --file pom.xml -Pcoverage javadoc:javadoc sonar:sonar -Dsonar.projectKey=smallrye_smallrye-jwt -Dsonar.token=$SONAR_TOKEN
+        run: mvn sonar:sonar -Psonar -Dsonar.token=${{secrets.SONAR_TOKEN}}
diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
@@ -0,0 +1,18 @@
+name: SmallRye Prepare Release
+
+on:
+  pull_request:
+    types: [ closed ]
+    paths:
+      - '.github/project.yml'
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  prepare-release:
+    name: Prepare Release
+    if: ${{ github.event.pull_request.merged == true}}
+    uses: smallrye/.github/.github/workflows/prepare-release.yml@main
+    secrets: inherit
diff --git a/.github/workflows/publish-tck.yml b/.github/workflows/publish-tck.yml
@@ -0,0 +1,41 @@
+name: Publish TCK
+
+on:
+  workflow_call:
+    inputs:
+      version:
+        required: true
+        description: Tag version to perform release
+        type: string
+
+jobs:
+  publish-tck:
+    name: Publish TCK
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java: [ 11, 17, 21 ]
+
+    steps:
+      - uses: actions/checkout@v4
+        name: checkout ${{inputs.version}}
+        with:
+          ref: ${{inputs.version}}
+
+      - uses: actions/setup-java@v4
+        name: set up jdk ${{matrix.java}}
+        with:
+          distribution: 'temurin'
+          java-version: ${{matrix.java}}
+          cache: 'maven'
+          cache-dependency-path: '**/pom.xml'
+
+      - name: generate tck report for jdk ${{matrix.java}}
+        env:
+          GH_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          ZIP_NAME: smallrye-jwt-${{inputs.version}}-tck-results-java-${{matrix.java}}.zip
+        run: |
+          mvn -B formatter:validate verify --file pom.xml
+          cd testsuite/tck/target
+          zip -r $ZIP_NAME surefire-reports/
+          gh release upload ${{inputs.version}} $ZIP_NAME
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,65 +1,36 @@
 name: SmallRye Release
-
+run-name: Perform ${{github.event.inputs.tag || github.ref_name}} Release
 on:
-  pull_request:
-    types: [closed]
-    paths:
-      - '.github/project.yml'
+  push:
+    tags:
+      - '*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to release'
+        required: true
+
+permissions:
+  attestations: write
+  id-token: write
+  # Needed for the publish-* workflows
+  contents: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
-  release:
-    runs-on: ubuntu-latest
-    name: release
-    if: ${{github.event.pull_request.merged == true}}
-    env:
-      GITHUB_TOKEN: ${{secrets.RELEASE_TOKEN}}
-
-    steps:
-      - uses: radcortez/project-metadata-action@main
-        name: retrieve project metadata
-        id: metadata
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          metadata-file-path: '.github/project.yml'
-
-      - uses: actions/checkout@v2
-        with:
-          token: ${{secrets.RELEASE_TOKEN}}
-
-      - uses: actions/setup-java@v1
-        with:
-          java-version: 11
-          server-id: 'oss.sonatype'
-          server-username: 'MAVEN_DEPLOY_USERNAME'
-          server-password: 'MAVEN_DEPLOY_TOKEN'
-          gpg-private-key: ${{secrets.MAVEN_GPG_PRIVATE_KEY}}
-          gpg-passphrase: 'MAVEN_GPG_PASSPHRASE'
-
-      - name: maven release ${{steps.metadata.outputs.current-version}}
-        env:
-          MAVEN_DEPLOY_USERNAME: ${{secrets.MAVEN_DEPLOY_USERNAME}}
-          MAVEN_DEPLOY_TOKEN: ${{secrets.MAVEN_DEPLOY_TOKEN}}
-          MAVEN_GPG_PASSPHRASE: ${{secrets.MAVEN_GPG_PASSPHRASE}}
-        run: |
-          java -version
-          git config --global user.name "SmallRye CI"
-          git config --global user.email "smallrye@googlegroups.com"
-          git checkout -b release
-          mvn -B release:prepare -Prelease,coverage -DreleaseVersion=${{steps.metadata.outputs.current-version}} -DdevelopmentVersion=${{steps.metadata.outputs.next-version}}
-          git checkout ${{github.base_ref}}
-          git rebase release
-          mvn -B release:perform -Prelease
-          git push
-          git push --tags
-
-      - uses: actions/upload-artifact@v2
-        name: tck-report
-        with:
-          name: tck-report
-          path: testsuite/tck/target/surefire-reports
-
-      - uses: radcortez/milestone-release-action@main
-        name: milestone release
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          milestone-title: ${{steps.metadata.outputs.current-version}}
+  perform-release:
+    name: Perform Release
+    uses: smallrye/.github/.github/workflows/perform-release.yml@main
+    secrets: inherit
+    with:
+      version: ${{github.event.inputs.tag || github.ref_name}}
+
+  publish-tck:
+    name: Publish TCK Report
+    uses: ./.github/workflows/publish-tck.yml
+    secrets: inherit
+    with:
+      version: ${{github.event.inputs.tag || github.ref_name}}
diff --git a/.github/workflows/pre-release.yml → .github/workflows/review-release.yml b/.github/workflows/pre-release.yml → .github/workflows/review-release.yml
@@ -1,4 +1,4 @@
-name: SmallRye Pre Release
+name: SmallRye Review Release
 
 on:
   pull_request:

diff --git a/.github/workflows/update-milestone.yml b/.github/workflows/update-milestone.yml
@@ -0,0 +1,17 @@
+name: Update Milestone
+
+on:
+  pull_request_target:
+    types: [closed]
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    name: update-milestone
+    if: ${{github.event.pull_request.merged == true}}
+
+    steps:
+      - uses: radcortez/milestone-set-action@main
+        name: milestone set
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
diff --git a/README.adoc b/README.adoc
@@ -1,10 +1,10 @@
 :microprofile-jwt: https://github.com/eclipse/microprofile-jwt-auth/
 :mp-jwt-name: Eclipse MicroProfile JWT RBAC
 :ci: https://github.com/smallrye/smallrye-jwt/actions?query=workflow%3A%22SmallRye+Build%22
-:sonar: https://sonarcloud.io/dashboard?id=smallrye_smallrye-jwt
+:sonar: https://sonarcloud.io/dashboard?id=io.smallrye%3Asmallrye-jwt
 
 image:https://github.com/smallrye/smallrye-jwt/workflows/SmallRye%20Build/badge.svg?branch=main[link={ci}]
-image:https://sonarcloud.io/api/project_badges/measure?project=smallrye_smallrye-jwt&metric=alert_status["Quality Gate Status", link={sonar}]
+image:https://sonarcloud.io/api/project_badges/measure?project=io.smallrye%3Asmallrye-jwt&metric=alert_status["Quality Gate Status", link={sonar}]
 image:https://img.shields.io/github/license/smallrye/smallrye-jwt.svg["License", link="http://www.apache.org/licenses/LICENSE-2.0"]
 image:https://img.shields.io/maven-central/v/io.smallrye/smallrye-jwt?color=green[]
 

diff --git a/coverage/pom.xml b/coverage/pom.xml
@@ -20,7 +20,7 @@
     <parent>
         <groupId>io.smallrye</groupId>
         <artifactId>smallrye-jwt-parent</artifactId>
-        <version>4.5.3</version>
+        <version>4.6.1-SNAPSHOT</version>
     </parent>
 
     <artifactId>smallrye-jwt-coverage</artifactId>

diff --git a/doc/modules/ROOT/pages/configuration.adoc b/doc/modules/ROOT/pages/configuration.adoc
@@ -39,6 +39,7 @@ SmallRye JWT supports many properties which can be used to customize the token p
 [cols="<m,<m,<2",options="header"]
 |===
 |Property Name|Default|Description
+|smallrye.jwt.verify.secretkey|none|Secret key supplied as a string.
 |smallrye.jwt.verify.key.location|NONE|Location of the verification key which can point to both public and secret keys. Secret keys can only be in the JWK format. Note that 'mp.jwt.verify.publickey.location' will be ignored if this property is set.
 |smallrye.jwt.verify.algorithm|`RS256`|Signature algorithm. Set it to `ES256` to support the Elliptic Curve signature algorithm. This property is deprecated, use `mp.jwt.verify.publickey.algorithm`.
 |smallrye.jwt.verify.key-format|`ANY`|Set this property to a specific key format such as `PEM_KEY`, `PEM_CERTIFICATE`, `JWK` or `JWK_BASE64URL` to optimize the way the verification key is loaded.
@@ -60,6 +61,7 @@ SmallRye JWT supports many properties which can be used to customize the token p
 |smallrye.jwt.groups-separator|' '|Separator for splitting a string which may contain multiple group values. It will only be used if the `smallrye.jwt.path.groups` property points to a custom claim whose value is a string. The default value is a single space because a standard OAuth2 `scope` claim may contain a space separated sequence.
 |smallrye.jwt.claims.groups|none| This property can be used to set a default groups claim value when the current token has no standard groups claim available (or no custom groups claim when `smallrye.jwt.path.groups` is used).
 |smallrye.jwt.jwks.refresh-interval|60|JWK cache refresh interval in minutes. It will be ignored unless the `mp.jwt.verify.publickey.location` points to the HTTP or HTTPS URL based JWK set and no HTTP `Cache-Control` response header with a positive `max-age` parameter value is returned from a JWK set endpoint.
+|smallrye.jwt.jwks.retain-cache-on-error-duration|0|JWK cache retain on error duration in minutes which sets the length of time, before trying again, to keep using the cache when an error occurs making the request to the JWKS URI or parsing the response. It will be ignored unless the `mp.jwt.verify.publickey.location` property points to the HTTP or HTTPS URL based JWK set.
 |smallrye.jwt.jwks.forced-refresh-interval|30|Forced JWK cache refresh interval in minutes which is used to restrict the frequency of the forced refresh attempts which may happen when the token verification fails due to the cache having no JWK key with a `kid` property matching the current token's `kid` header. It will be ignored unless the `mp.jwt.verify.publickey.location` points to the HTTP or HTTPS URL based JWK set.
 |smallrye.jwt.expiration.grace|0|Expiration grace in seconds. By default an expired token will still be accepted if the current time is no more than 1 min after the token expiry time. This property is deprecated. Use `mp.jwt.verify.clock.skew` instead.
 |smallrye.jwt.verify.aud|none|Comma separated list of the audiences that a token `aud` claim may contain. This property is deprecated. Use `mp.jwt.verify.audiences` instead.

diff --git a/implementation/common/pom.xml b/implementation/common/pom.xml
@@ -22,7 +22,7 @@
   <parent>
     <groupId>io.smallrye</groupId>
     <artifactId>smallrye-jwt-implementation-parent</artifactId>
-    <version>4.5.3</version>
+    <version>4.6.2-SNAPSHOT</version>
   </parent>
 
   <artifactId>smallrye-jwt-common</artifactId>

diff --git a/implementation/common/src/main/java/io/smallrye/jwt/JsonProviderHolder.java b/implementation/common/src/main/java/io/smallrye/jwt/JsonProviderHolder.java
@@ -0,0 +1,15 @@
+package io.smallrye.jwt;
+
+import jakarta.json.spi.JsonProvider;
+
+public final class JsonProviderHolder {
+
+    private static final JsonProvider JSON_PROVIDER = JsonProvider.provider();
+
+    private JsonProviderHolder() {
+    }
+
+    public static JsonProvider jsonProvider() {
+        return JSON_PROVIDER;
+    }
+}
diff --git a/implementation/common/src/main/java/io/smallrye/jwt/util/KeyUtils.java b/implementation/common/src/main/java/io/smallrye/jwt/util/KeyUtils.java
@@ -48,7 +48,6 @@
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
 
-import jakarta.json.Json;
 import jakarta.json.JsonArray;
 import jakarta.json.JsonObject;
 import jakarta.json.JsonReader;
@@ -59,6 +58,7 @@
 import org.jose4j.jwk.OctetSequenceJsonWebKey;
 import org.jose4j.jwk.PublicJsonWebKey;
 
+import io.smallrye.jwt.JsonProviderHolder;
 import io.smallrye.jwt.algorithm.KeyEncryptionAlgorithm;
 import io.smallrye.jwt.algorithm.SignatureAlgorithm;
 
@@ -312,8 +312,7 @@ private static String getKeyStoreType(String keyStorePath, Optional<String> keyS
         if (keyStoreType.isPresent()) {
             return keyStoreType.get().toUpperCase();
         }
-        final String pathName = keyStorePath.toString();
-        if (pathName.endsWith(".p12") || pathName.endsWith(".pkcs12") || pathName.endsWith(".pfx")) {
+        if (keyStorePath.endsWith(".p12") || keyStorePath.endsWith(".pkcs12") || keyStorePath.endsWith(".pfx")) {
             return "PKCS12";
         } else {
             // assume jks
@@ -452,7 +451,7 @@ public static List<JsonWebKey> loadJsonWebKeys(String content) {
         JWTUtilLogging.log.loadingJwks();
 
         JsonObject jwks = null;
-        try (JsonReader reader = Json.createReader(new StringReader(content))) {
+        try (JsonReader reader = JsonProviderHolder.jsonProvider().createReader(new StringReader(content))) {
             jwks = reader.readObject();
         } catch (Exception ex) {
             JWTUtilLogging.log.loadingJwksFailed(ex);

diff --git a/implementation/jwt-auth/pom.xml b/implementation/jwt-auth/pom.xml
@@ -22,7 +22,7 @@
   <parent>
     <groupId>io.smallrye</groupId>
     <artifactId>smallrye-jwt-implementation-parent</artifactId>
-    <version>4.5.3</version>
+    <version>4.6.2-SNAPSHOT</version>
   </parent>
 
   <artifactId>smallrye-jwt</artifactId>
@@ -89,7 +89,7 @@
     <dependency>
       <groupId>org.hamcrest</groupId>
       <artifactId>hamcrest-core</artifactId>
-      <version>2.2</version>
+      <version>3.0</version>
       <scope>test</scope>
     </dependency>
     <dependency>