Spring Security Nimbus Opaque Token Introspectors should not use HTTPResponse

The 7.x series of Nimbus changes javax.mail to an optional dependency.

Due to methods like this inside Nimbus's HTTPMessage:

public javax.mail.internet.ContentType getContentType() {
    // ...
}

Different runtimes may fail to load this class without also specifying the javax.mail dependency.

It seems a bit odd to include javax.mail as a dependency for oauth2-resource-server, and so it would be better to not have to add it. This is achievable with one change in Nimbus and one change in Spring Security, which is to stop using Nimbus's HTTPResponse.

Comment From: jgrandja

Related #7994 #8007

Comment From: jzheaux

Looking into this a little deeper, while the test suite does pass with the described changes, any time a class is referred to in a method body or signature, even if that method isn't invoked, the classloader may still load that class.

Given that, JSONObjectUtils also refers to javax.mail classes. This class is used by many other classes in Nimbus, which will make it tricky for Spring Security to avoid its usage.

As such, I'm going to close this ticket since it can't resolve the classloading concern completely.