Start with the Jakarta Security requirements around JWT
That's certainly something we can start with. The requirements are essentially that within a Jakarta EE environment the authentication mechanism MUST enable a CDI bean based on HttpAuthenticationMechanism, and MUST use the Jakarta Authentication SPI to set the authenticated identity, and that it SHOULD use an IdentityStore for token validation. The actual spec text should be a little more elaborate and provide some examples, but that's what it essentially boils down to.
Furthermore, it would be a nice-to-have to have an annotation like BasicAuthenticationMechanismDefinition instead of LoginConfig that accepts EL expressions (there's no EL dependency needed for that, as the attributes are simply of type string).
and have those demonstrate why or why can't the MP JWT spec be used as a transitive dependency.
I'm not sure about that last one, as it looks like what I proposed in the initial post, but which was more or less rejected in the cacophony of protest. Do you mean that the Jakarta security spec, and specifically the Jakarta Security API jar directly has the MP JWT spec / api as a dependency?
E.g.
<dependencies>
<dependency>
<groupId>jakarta.servlet</groupId>
<artifactId>jakarta.servlet-api</artifactId>
<version>6.0.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>jakarta.interceptor</groupId>
<artifactId>jakarta.interceptor-api</artifactId>
<version>2.1.0</version>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>
org.eclipse.microprofile.jwt</groupId>
<artifactId>
microprofile-jwt-auth-api</artifactId>
<version>2.1</version>
<scope>provided</scope>
</dependency>