Daniel,
Thanks for your summary and suggestions.
Not sure, if your CC to the platform list worked, because I cannot see it there yet, but I'll reply here for now, and may propagate it over there, too should you not be subscribed to both.
Of your two suggestions:
* Rip off the band-aid now but then this should be MicroProfile-wide (probably won't happen) and make Jakarta EE adopt a faster pace like MP.
* Make a "competing" implementation in Jakarta Security and let MicroProfile JWT fade with time (and document a migration path).
I would prefer the second one, because especially MP JWT has not gone at a fast pace at all.
MP JWT 1.1 was released Jun 1, 2018
1.2 was released Dec 22, 2020, over 2 1/2 years later.
And all 2.0 did on Jan 13, 2022 was to change the Jakarta EE namespace from "javax" to "jakarta". Not a single feature, it's merely 1.3 worthy for that reason.
Several features of Spring Security OAuth JWT like JOSE headers (that exist since 2015, before MP JWT even started) were never applied in MicroProfile.
I know well that defining stuff takes time, finding the right terms in JSR 375 (now Jakarta Security) took several months, but we took our time and compared not just Spring Security or similar frameworks at the time, we asked a number of people,
while in a project that caters for a smaller audience like most MP specs that is the reason why some features may be missing because the 1 or 2 really active contributors and the company they work for may not see it as important enough for their customers or use case. And if they are tied up with other work then the spec becomes practically inactive and nothing new is added.
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/es-dev