Spring Security Build should use fixed versions for nimbusds

I'm trying to do a custom build of a Spring Cloud Dataflow which itself have dependencies to Spring Security Oauth2 packages. I'm ending up a dependency issues with both maven and gradle builds for com.nimbusds:nimbus-jose-jwt.

Here's maven dep tree from two different projects:

+- org.springframework.cloud:spring-cloud-common-security-config-core:jar:1.3.1.RELEASE:compile
|  \- org.springframework.security:spring-security-oauth2-client:jar:5.2.4.RELEASE:compile
|     +- com.nimbusds:oauth2-oidc-sdk:jar:6.14:compile
|     |  +- com.sun.mail:javax.mail:jar:1.6.1:compile
|     |  |  \- javax.activation:activation:jar:1.1:compile
|     |  +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
|     |  +- com.nimbusds:lang-tag:jar:1.5:compile (version selected from constraint [1.4.3,))
|     |  \- com.nimbusds:nimbus-jose-jwt:jar:8.17:compile (version selected from constraint [6.0.1,))
|     +- org.springframework.security:spring-security-core:jar:5.2.4.RELEASE:compile
|     +- org.springframework.security:spring-security-oauth2-core:jar:5.2.4.RELEASE:compile
|     \- org.springframework.security:spring-security-web:jar:5.2.4.RELEASE:compile

-----

+- org.springframework.cloud:spring-cloud-starter-common-security-config-web:jar:1.3.1.RELEASE:compile
|  \- org.springframework.cloud:spring-cloud-common-security-config-web:jar:1.3.1.RELEASE:compile
|     +- org.springframework.cloud:spring-cloud-common-security-config-core:jar:1.3.1.RELEASE:compile
|     |  \- org.springframework.security:spring-security-oauth2-client:jar:5.2.4.RELEASE:compile
|     |     \- com.nimbusds:oauth2-oidc-sdk:jar:6.14:compile
|     |        +- com.sun.mail:javax.mail:jar:1.6.1:compile
|     |        |  \- javax.activation:activation:jar:1.1:compile
|     |        \- com.nimbusds:lang-tag:jar:1.5:compile (version selected from constraint [1.4.3,))
|     +- org.springframework.security:spring-security-oauth2-jose:jar:5.2.4.RELEASE:compile
|     |  +- com.nimbusds:nimbus-jose-jwt:jar:7.8.1:compile

I think this is caused by using latest.release trick with gradle build: https://github.com/spring-projects/spring-security/blob/9a72654b8df933d60059a6c11a1b66fa0b6761a4/gradle/dependency-management.gradle#L38-L39

I think at a time when spring-security is build com.nimbusds:oauth2-oidc-sdk don't necessarily depend on latest existing version of com.nimbusds:nimbus-jose-jwt. Then as spring-security itself depends on com.nimbusds:nimbus-jose-jwt, it's kinda hit and miss which you end up getting in to your build.

I'd like to propose that spring security would use same com.nimbusds:nimbus-jose-jwt version as defined in com.nimbusds:oauth2-oidc-sdk. Then I think we would always get predictable versions as at least in my case those nimbusds deps are only coming from spring security.

Comment From: jzheaux

@jvalkeal, I believe this is related to an issue in Nimbus: https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/261/please-dont-use-version-ranges-in-library - the constraint matching is because of how Nimbus was publishing their binaries.

Additionally, Spring Security didn't add version ranges until 5.3, so I'm thinking that it's probably due to how Nimbus was releasing in the past.

Do you see the same dependency issues if you manage to a more recent version of the Nimbus artifacts?

Comment From: jvalkeal

I didn't try spring security 5.3.2 but looking actual poms, there's a same issue.

spring-security-oauth2-client 5.3.2 - > oauth2-oidc-sdk 7.1.1
spring-security-oauth2-jose 5.3.2 -> nimbus-jose-jwt 8.9
oauth2-oidc-sdk 7.1.1 -> nimbus-jose-jwt 8.8

spring-security-oauth2-client-5.3.2.RELEASE.pom spring-security-oauth2-jose-5.3.2.RELEASE.pom oauth2-oidc-sdk-7.1.1.pom

Comment From: jvalkeal

But you're right about spring security 5.2.4 as nimbus versions pulled in from there indeed have version ranges in their poms. Looks like they removed those ranges from latest versions.

Comment From: jzheaux

@jvalkeal Thanks again for the report.

After some additional digging, I believe this is a duplicate of #8543, and so I'm going to close it as such.

So that we've just got one channel for further discussions, please read my reasoning over there and feel free to comment on that ticket if you feel like there's more to discuss.