Re: Java EE Security.next and JWT (JSON Web Tokens)
For anything that could become part of an official JSR deliverable, that doesn't sound so good;-/
Agorava also used Scribe in the initial draft phase, but it was changed, so other than CDI compliant DeltaSpike the only thing that is not fully based on Java EE would be Jackson right now.
PicketLink, but IMO all relevant aspects of PicketLink are now found in JSR 375/Soteria, so porting https://github.com/agorava/agorava-core/tree/develop/agorava-picketlink to use Soteria should be extremely easy. The Oauth part is already there independent of Google or other libraries.