Merge main branch

Author: tanya732

.github/workflows/build-and-test.yml

@@ -17,16 +17,16 @@ jobs:
           java-version: 17
 
       - name: Set up Gradle
-        uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+        uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
 
       - name: Test and Assemble with Gradle
         run: ./gradlew assemble check --continue --console=plain
 
-      - uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+      - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
           flags: unittests
 
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@v6
         with:
           name: Reports
           path: |

.github/workflows/claude-code-review.yml

@@ -7,4 +7,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: gradle/actions/wrapper-validation@v5
+      - uses: gradle/actions/wrapper-validation@v5.0.2

.github/workflows/gradle-wrapper-validation.yml

@@ -41,7 +41,7 @@ jobs:
           java-version: ${{ inputs.java-version }}
 
       - name: Set up Gradle
-        uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+        uses: gradle/actions/setup-gradle@0723195856401067f7a2779048b490ace7a47d7c # v5.0.2
 
       - name: Test and Assemble with Gradle
         run: ./gradlew assemble check --continue --console=plain

.github/workflows/rl-scanner.yml

@@ -172,3 +172,6 @@ target/
 ### Test results ###
 **/test-results/
 **/reports/
+
+### Claude Code ###
+.claude/settings.local.json

.github/workflows/sca_scan.yml

@@ -0,0 +1,14 @@
+{
+  "files": {
+    ".version": [],
+    "README.md": [
+      "<version>{MAJOR}.{MINOR}.{PATCH}</version>",
+      "`{MAJOR}.{MINOR}.{PATCH}`"
+    ],
+    "auth0-springboot-api/README.md": [
+      "<version>{MAJOR}.{MINOR}.{PATCH}</version>",
+      "auth0-springboot-api:{MAJOR}.{MINOR}.{PATCH}"
+    ]
+  },
+  "prefixVersion": false
+}

.gitignore

@@ -1 +1 @@
-1.0.0-beta.1
+1.0.0-beta.0

.shiprc

@@ -0,0 +1,105 @@
+# Changelog
+
+## [1.0.0-beta.0](https://github.com/auth0/auth0-auth-java/tree/1.0.0-beta.0) (2026-03-02)
+
+### Features
+
+- **JWT Bearer Authentication** - Complete Spring Security integration for validating Auth0-issued JWTs.
+- **DPoP (Demonstration of Proof-of-Possession) Support** - Built-in support for DPoP token security per [RFC 9449](https://datatracker.ietf.org/doc/html/rfc9449), including proof validation, token binding, and JWK thumbprint verification.
+- **Flexible Authentication Modes** - Configure how your API handles token types:
+  - `DISABLED` - Accept Bearer tokens only.
+  - `ALLOWED` - Accept both Bearer and DPoP tokens (default).
+  - `REQUIRED` - Enforce DPoP tokens only.
+- **Scope-Based Authorization** - Derive Spring Security authorities from JWT scopes with `SCOPE_` prefix for use with `hasAuthority()`.
+- **Custom Claim Access** - Access any JWT claim via `Auth0AuthenticationToken.getClaim(name)` and `getClaims()`.
+- **Auto-Configuration** - Minimal setup required; just provide `auth0.domain` and `auth0.audience` properties.
+- **WWW-Authenticate Header Generation** - Automatic RFC-compliant error response headers for Bearer and DPoP challenges.
+- **Java 8+ Core Module** - The underlying `auth0-api-java` module targets Java 8, enabling use in non-Spring environments.
+
+### Installation
+
+**Gradle**
+
+```groovy
+implementation 'com.auth0:auth0-springboot-api:1.0.0-beta.0'
+```
+
+**Maven**
+
+```xml
+<dependency>
+    <groupId>com.auth0</groupId>
+    <artifactId>auth0-springboot-api</artifactId>
+    <version>1.0.0-beta.0</version>
+</dependency>
+```
+
+### Basic Usage
+
+**1. Add application properties:**
+
+```yaml
+auth0:
+  domain: "your-tenant.auth0.com"
+  audience: "https://your-api-identifier"
+  dpopMode: ALLOWED                  # DISABLED | ALLOWED | REQUIRED
+```
+
+**2. Configure Spring Security:**
+
+```java
+@Configuration
+@EnableMethodSecurity
+public class SecurityConfig {
+
+    @Bean
+    SecurityFilterChain apiSecurity(HttpSecurity http, Auth0AuthenticationFilter authFilter)
+            throws Exception {
+        return http
+            .csrf(csrf -> csrf.disable())
+            .sessionManagement(s -> s.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+            .authorizeHttpRequests(auth -> auth
+                .requestMatchers("/api/public").permitAll()
+                .requestMatchers("/api/protected").authenticated()
+                .requestMatchers("/api/admin/**").hasAuthority("SCOPE_admin")
+                .anyRequest().permitAll())
+            .addFilterBefore(authFilter, UsernamePasswordAuthenticationFilter.class)
+            .build();
+    }
+}
+```
+
+**3. Access authenticated user info in your controller:**
+
+```java
+@RestController
+@RequestMapping("/api")
+public class ApiController {
+
+    @GetMapping("/protected")
+    public ResponseEntity<Map<String, Object>> protectedEndpoint(Authentication authentication) {
+        Auth0AuthenticationToken token = (Auth0AuthenticationToken) authentication;
+        return ResponseEntity.ok(Map.of(
+            "user", authentication.getName(),
+            "email", token.getClaim("email"),
+            "scopes", token.getScopes()
+        ));
+    }
+}
+```
+
+### Dependencies
+
+| Dependency | Version | Module |
+|---|---|---|
+| Spring Boot Starter | 3.2.0 | auth0-springboot-api |
+| Spring Boot Starter Web | 3.2.0 | auth0-springboot-api |
+| Spring Boot Starter Security | 3.2.0 | auth0-springboot-api |
+| Jackson Databind | 2.15.2 | auth0-api-java |
+| Apache HttpClient | 4.5.14 | auth0-api-java |
+| Auth0 java-jwt | 4.5.1 | auth0-api-java |
+| Auth0 jwks-rsa | 0.23.0 | auth0-api-java |
+
+**Runtime Requirements:**
+- `auth0-springboot-api` — Java 17+
+- `auth0-api-java` — Java 8+

.version

@@ -6,7 +6,7 @@
 ![Java Version](https://img.shields.io/badge/java-8%2B-blue)
 ![License](https://img.shields.io/badge/license-MIT-green)
 
-A comprehensive Java library for Auth0 JWT authentication with built-in **DPoP (Demonstration of Proof-of-Possession)** support. This multi-module project provides both a core authentication library and Spring Boot integration for secure API development.
+A comprehensive Java library for Auth0 JWT authentication with built-in **DPoP (Demonstration of Proof-of-Possession)** support. This project provides Spring Boot integration for secure API development.
 
 ## 🏗️ Architecture Overview
 
@@ -37,15 +37,15 @@ If you're building a Spring Boot application, use the Spring Boot integration:
 <dependency>
     <groupId>com.auth0</groupId>
     <artifactId>auth0-springboot-api</artifactId>
-    <version>1.0.0-SNAPSHOT</version>
+    <version>1.0.0-beta.0</version>
 </dependency>
 ```
 
 **👉 [Get started with Spring Boot integration →](./auth0-springboot-api/README.md)**
 
 ### For Core Java Applications
 
-The core library (`auth0-api-java`) is currently an internal module used by the Spring Boot integration. It provides:
+It provides:
 
 - JWT validation with Auth0 JWKS integration
 - DPoP proof validation per [RFC 9449](https://datatracker.ietf.org/doc/html/rfc9449)
@@ -78,11 +78,11 @@ This project uses Gradle with a multi-module setup:
 
 ## 📦 Publishing
 
-Only the Spring Boot integration module is published as a public artifact:
+Spring Boot integration module is published as a public artifact:
 
-| Module                 | Group ID    | Artifact ID            | Version          | Status           |
-| ---------------------- | ----------- | ---------------------- | ---------------- | ---------------- |
-| `auth0-springboot-api` | `com.auth0` | `auth0-springboot-api` | `1.0.0-SNAPSHOT` | 📦 **Published** |
+| Module                 | Group ID    | Artifact ID            | Version        | Status           |
+| ---------------------- | ----------- | ---------------------- |----------------| ---------------- |
+| `auth0-springboot-api` | `com.auth0` | `auth0-springboot-api` | `1.0.0-beta.0` | 📦 **Published** |
 
 The core library (`auth0-api-java`) is bundled as an internal dependency within the Spring Boot module and is not published separately.