Dependency convergence error for com.nimbusds:nimbus-jose-jwt:8.8 paths to dependency are:
+-some.internal.package:our-security:1.5.32-SNAPSHOT
  +-org.springframework.security:spring-security-oauth2-client:5.3.2.RELEASE
    +-com.nimbusds:oauth2-oidc-sdk:7.1.1
      +-com.nimbusds:nimbus-jose-jwt:8.8
and
+-some.internal.package:our-security:1.5.32-SNAPSHOT
  +-org.springframework.security:spring-security-oauth2-jose:5.3.2.RELEASE
    +-com.nimbusds:nimbus-jose-jwt:8.9

Comment From: jgrandja

@bratwurzt Please provide more details and a minimal sample that reproduces the error.

Comment From: bratwurzt

@bratwurzt Please provide more details and a minimal sample that reproduces the error.

sorry, notifications were muted. Will prepare one next week ASAP.

Comment From: jgrandja

8564 may be related

Comment From: jzheaux

@bratwurzt Thanks for the report.

This is something that the community should take up with the Nimbus team.

The fact is that the oauth2-oidc-sdk and nimbus-jose-jwt releases aren't synchronized. For example, Nimbus released nimbus-jose-jwt:8:18 today, but the latest oauth2-oidc-sdk is on nimbus-jose-jwt:8.14.1.

Because of that, if we were to constrain Spring Security to stay in sync with oauth2-oidc-sdk's dependencies, it would delay us from getting valuable nimbus-jose-jwt updates. Further, adding a constraint like that would make our dependency management story more complex.

To me, it seems to be a reasonable request for Nimbus to keep oauth2-oidc-sdk up to date with the latest nimbus-jose-jwt by releasing oauth2-oidc-sdk when nimbus-jose-jwt is released. We do this kind of thing for spring-security-oauth2-boot-autoconfigure, for example, to keep it in sync with Spring Boot.

If you log a ticket with Nimbus, please consider adding the link here so that others who find this ticket can follow along.