Changes

This merge improves JWT parse/decode performance by re-using Jackson ObjectFactory and ObjectReader instances that are thread safe and expensive to create.

To do so it also cleans up the deserialiser classes to use the information already available in the Jackson deserializer method parameters - namely the parser codec - instead of passing that information in at constructor time for the deserializer.

This type of pattern is already implemented in the serialize side of the codebase - note the static final ObjectMapper in JWTCreator and that the constructors for PayloadSerializer and HeaderSerializer take no arguments. This pull request brings parity to the deserialize side.

Note that there was some thought to already being able to re-use a parser by instantiating and holding an instance of 'com.auth0.jwt.JWT', but that only works partially since JWT.require is static and it instantiates a new JWTVerifier that always instantiates a new parser.

It's probably just safer to follow the same pattern as JWTCreator and transparently solve this in the library internally for the user.

I added JMH support to the build file with comments and one benchmark for decoding. On my machine throughput:

Master: 221755,008 ±(99.9%) 33951,905 ops/s [Average]
This Pull: 715079,328 ±(99.9%) 47281,796 ops/s [Average]

References

There is a lot of material out there on the internet on re-using ObjectMapper instances, and the JavaDoc in Jackson give guidance.

Testing

I added JMH support to the project so that there is some support for getting a performance impact picture. I didn't add new test cases as there seemed to be good coverage on all the deserialisation variants.

• [ X] This change adds test coverage
• [X ] This change has been tested on the latest version of Java or why not

Checklist

• [ X] I have read the Auth0 general contribution guidelines
• [X ] I have read the Auth0 Code of Conduct
• [ X] All existing and new tests complete without errors