Release 2.2.9 just came out and has this in the release notes:
- Whitelisted selected Nimbus Jose/JWT classes (PlainObject, JWSObject, Payload, JWEObject JWEHeader, PlainJWT, SignedJWT, EncryptedJWT, JWTClaimsSet).
It's super close to what we need, but there are two classes I think need to be added to the allowlist still:
JWTHeader.BuilderJWTClaimsSet.Builder
I wasn't able to find a workaround to use SignedJWT without these two classes being allowlisted. I also messaged @gopher.ny to thank him and let him know there were two classes missing from the allowlist.
