I agree with Arjan here, the functionality of MP JWT would normally be in Jakarta Security if it wasn't delayed so much. The same applies to some other specifications in MP, e.g. Rest client is basically an extension to Jakarta REST and all of it would be natural to have in Jakarta REST. Config was planned for Java EE 8 but didn't make it, and then it was created in MP. But for a long time it was desired in Java EE and Jakarta EE, and the fact that it's now in MP shouldn't block adding Config to Jakarta EE.
I also agree with David and the CN4J document that we shouldn't duplicate the effort. But the CN4J document also states that specs can move between working groups freeley, so MP JWT can move to Jakarta if it makes sense.
What I would like is that MP JWT moves to Jakarta Security and Jakarta Security creates a lite profile, which could be included in Jakarta Core Profile, and thus in MicroProfile. In the same way as CDI created a new lite profile which will replace full CDI in MicroProfile 6.0.
With this approach, plain Jakarta EE would have a solution for JWT and many other authentication mechanisms, without relying on Microprofile. And yes, there are still plain Jakarta EE implementations without Microprofile or with just parital MicroProfile support. Also, keep in mind that the Jakarta Security team planned to support JWT for a long time and relying on MicroProfile is not an ideal option here in the long run.
Microprofile would still include only JWT, without the remaining parts of Jakarta Security and potential dependency on Servlet.
Any objections to this approach?
All the best,Ondro Mihalyi
Director, Jakarta EE expert
Omnifish OÜ, Narva mnt 5, 10117 Tallinn, Estonia | VAT: EE102487932