Nimbus JOSE + JWT 2.3 with improved thread-safety

We just released another update to the Java library for processing JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK) and JSON Web Token (JWT) objects.

A goal of this 2.3 release was to improve the thread-safety of the key classes to allow seamless use in concurrent server environments.

The core classes for representing the JOSE objects – PlainObject, JWSObject and JWEObject – are all thread-safe now. So are the implemented standard HMAC, RSA and ECDSA signature and verification providers in the com.nimbusds.jose.crypto package.

To ease understanding of which classes are immutable and / or thread-safe, we applied the widely used JCIP concurrency annotations. The result can be seen in the excellent library JavaDocs.

Another useful addition was the getParsedParts() and getParsedString() methods of JOSEObject to query the original Base64URL parts or entire string of a parsed JOSE object. As you may know, JOSE doesn’t apply canonicalisation to the JSON header, which may result in different serialisations across implementations and even within the same implementation, so it’s useful to have these methods when you need to get back the original parsed string.

Finally, there was yet another naming change to signature interfaces and classes. We hope we got it right this time :)

You can get the latest JAR, sources and JavaDocs of the library from its Git repo at

https://bitbucket.org/connect2id/nimbus-jose-jwt

Enjoy!