feat(IDPLATF-6508): remove JWT validation, parse-only

[rodrigo-rufino]

Why

JWT validation is now handled at the infrastructure level by Istio, so tokens always arrive at the application already validated. Keeping validation inside the library required each service to hold a reference to the signing public key, which blocked key rotation and added unnecessary coupling to the auth infrastructure. Removing signature verification is a breaking change for any caller that relied on InvalidJwtException being thrown, which warrants a major version bump (2.0.0).

What

• Removed all internal JWT signature verification from QuintoAndarJwtBean and QuintoAndarKeycloakJwtBean
• Removed jose4j and commons-io dependencies from build.gradle
• Deleted classes: QuintoAndarPublicKeyService, QuintoAndarKeycloakPublicKeyService, SetupException, QuintoandarProperties
• getPayload() no longer declares throws InvalidJwtException
• Bumped version to 2.0.0

How

• Replaced the RSA-verification logic in both bean implementations with a plain Base64url decode of the JWT payload segment using Base64.getUrlDecoder() and Jackson's ObjectMapper
• Removed public key service beans from QuintoAndarJwtAutoConfiguration
• Updated tests to remove public key service mocks and replaced the "invalid JWT throws exception" cases with "null input returns empty Optional" cases
• Added a deprecation notice and versioning guide to README.md

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.