Postpone JWT 3.0 and JWT Bridge to MicroProfile 7.1?

47 views
Skip to first unread message

John Clingan

unread,
Mar 21, 2024, 2:34:59 PMMar 21
to MicroProfile
Emily, Emerson, and I met to discuss the MicroProfile 7.0 release. Based on some feedback from those working on JWT, we'd like to recommend that we postpone these releases to MicroProfile 7.1. Justification:

  1. More time to firm up the specs (with no Jakarta EE 10 Core Profile dependency) and get feedback.
  2. We have great content for MicroProfile 7.1 in 2nd half of the year (even though the Bridge spec is standalone)
  3. MicroProfile 7.1 would also be a great marketing opportunity with a heavy focus on JWT updates
Thoughts? We'd like to get feedback ASAP (by tomorrow) so we can push the MicroProfile 7.0 Release Plan with JWT 2.1. Sorry for short notice, but we'd really like to get the ballot started.

Thanks!

Werner Keil

unread,
Mar 21, 2024, 3:12:59 PMMar 21
to MicroProfile
Are there breaking non-backward-compatible changes between JWT 3.0 and 2.x?

If so doing it in a x.1 instead of x.0 release sounds odd, otherwise why not.

Werner

Emily Jiang

unread,
Mar 21, 2024, 7:46:03 PMMar 21
to MicroProfile
Yes, good point, Werner. It would be JWT 2.2 release instead of JWT 3.0 to be included in MP 7.1. The JWT team needs to work out what would be in the next release and ensure not to add breaking changes in the JWT 2.2 release.

Sergey Beryozkin

unread,
Mar 22, 2024, 6:32:58 AMMar 22
to microp...@googlegroups.com
Hi

On Thu, Mar 21, 2024 at 11:46 PM 'Emily Jiang' via MicroProfile <microp...@googlegroups.com> wrote:
Yes, good point, Werner. It would be JWT 2.2 release instead of JWT 3.0 to be included in MP 7.1. The JWT team needs to work out what would be in the next release and ensure not to add breaking changes in the JWT 2.2 release.

Emily. I'm not sure why 2.2, given that nearly all the proposed updates are technically breaking, not an API level, but at the specification level, leading to the possibly broken client applications talking to MP JWT servers
* Removing the optional part is a major change on its own
* No longer accepting RSA 1024 bit based signature by default - is enough on its own to push it to 3.0

We can discuss the MP JWT versioning later, but IMHO, it is not 2.2 but 3.0

Thanks, Sergey
 
On Thursday, March 21, 2024 at 7:12:59 PM UTC Werner Keil wrote:
Are there breaking non-backward-compatible changes between JWT 3.0 and 2.x?

If so doing it in a x.1 instead of x.0 release sounds odd, otherwise why not.

Werner
John Clingan schrieb am Donnerstag, 21. März 2024 um 19:34:59 UTC+1:
Emily, Emerson, and I met to discuss the MicroProfile 7.0 release. Based on some feedback from those working on JWT, we'd like to recommend that we postpone these releases to MicroProfile 7.1. Justification:

  1. More time to firm up the specs (with no Jakarta EE 10 Core Profile dependency) and get feedback.
  2. We have great content for MicroProfile 7.1 in 2nd half of the year (even though the Bridge spec is standalone)
  3. MicroProfile 7.1 would also be a great marketing opportunity with a heavy focus on JWT updates
Thoughts? We'd like to get feedback ASAP (by tomorrow) so we can push the MicroProfile 7.0 Release Plan with JWT 2.1. Sorry for short notice, but we'd really like to get the ballot started.

Thanks!
--
You received this message because you are subscribed to the Google Groups "MicroProfile" group.
To unsubscribe from this group and stop receiving emails from it, send an email to microprofile...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/microprofile/d6912275-42f0-4d4e-8505-cdff1a96cc34n%40googlegroups.com.

Sergey Beryozkin

unread,
Mar 22, 2024, 6:35:41 AMMar 22
to microp...@googlegroups.com
Apologies for the noise,

On Fri, Mar 22, 2024 at 10:32 AM Sergey Beryozkin <sbia...@redhat.com> wrote:
Hi

On Thu, Mar 21, 2024 at 11:46 PM 'Emily Jiang' via MicroProfile <microp...@googlegroups.com> wrote:
Yes, good point, Werner. It would be JWT 2.2 release instead of JWT 3.0 to be included in MP 7.1. The JWT team needs to work out what would be in the next release and ensure not to add breaking changes in the JWT 2.2 release.

Emily.
It was meant to be a comma `,`, `.` reads strange 🙂, sorry

Emily Jiang

unread,
Mar 22, 2024, 7:13:16 AMMar 22
to MicroProfile
Hi Sergey,

My comment was about what release version of MP JWT can be added to MP 7.1. As per your notes below, the next release of MP JWT would have to be JWT 3.0. The JWT 3.0 will need to be put to MP 8.0 not MP 7.1.

Thanks,
Emily

Emily Jiang

unread,
Mar 22, 2024, 7:23:44 AMMar 22
to MicroProfile
Also I think we should focus to get MP JWT Bridge released first and then delete the duplicated parts in MP JWT.

Sergey Beryozkin

unread,
Mar 22, 2024, 7:29:01 AMMar 22
to microp...@googlegroups.com
HI Emily

On Fri, Mar 22, 2024 at 11:13 AM 'Emily Jiang' via MicroProfile <microp...@googlegroups.com> wrote:
Hi Sergey,

My comment was about what release version of MP JWT can be added to MP 7.1. As per your notes below, the next release of MP JWT would have to be JWT 3.0. The JWT 3.0 will need to be put to MP 8.0 not MP 7.1.

OK, there is some material for 2.2 there as well, like an option to retrieve the token headers, etc. It might also require some minor alignment with the newly proposed JwtAuthenticatyionMechanism in the Bridge spec
Thanks Sergey
 

Emily Jiang

unread,
Mar 25, 2024, 6:24:41 PMMar 25
to Microprofile
Thank you Sergey for the info!


Reply all
Reply to author
Forward
0 new messages