Spring Security Update dependency com.nimusds:oath2-oidc-sdk to version 8+

Expected Behavior From spring-security-oauth2-client:5.3.2.RELEASE, my project transitively gets

+--- org.springframework.security:spring-security-oauth2-client -> 5.3.2.RELEASE
|    +--- com.nimbusds:oauth2-oidc-sdk:7.1.1 -> **8.9**
|    |    +--- com.github.stephenc.jcip:jcip-annotations:1.0-1
|    |    +--- com.nimbusds:content-type:2.0
|    |    +--- net.minidev:json-smart:[1.3.1,2.3] -> 2.3
|    |    |    \--- net.minidev:accessors-smart:1.2
|    |    |         \--- org.ow2.asm:asm:5.0.4
|    |    +--- com.nimbusds:lang-tag:1.4.4
|    |    \--- com.nimbusds:nimbus-jose-jwt:8.14.1
|    |         +--- com.github.stephenc.jcip:jcip-annotations:1.0-1
|    |         \--- net.minidev:json-smart:[1.3.1,2.3] -> 2.3 (*)

Current Behavior instead of

+--- org.springframework.security:spring-security-oauth2-client -> 5.3.2.RELEASE
|    +--- com.nimbusds:oauth2-oidc-sdk:7.1.1
|    |    +--- com.github.stephenc.jcip:jcip-annotations:1.0-1
|    |    +--- com.nimbusds:content-type:2.0
|    |    +--- net.minidev:json-smart:1.3.1
|    |    +--- com.nimbusds:lang-tag:1.4.4
|    |    +--- com.nimbusds:nimbus-jose-jwt:8.8 -> 8.11
|    |    |    +--- com.github.stephenc.jcip:jcip-annotations:1.0-1
|    |    |    \--- net.minidev:json-smart:[1.3.1,2.3] -> 1.3.1
|    |    \--- com.sun.mail:javax.mail:1.6.1 -> 1.6.2
|    |         \--- javax.activation:activation:1.1

Context Current version 7.1.1 pulls in deprecated packages com.sun.mail:javax.mail and javax.activation:activation which are unused by our project and cause classpath confusion for clients using the Apache Geode project.

I have run limited Geode tests using com.nimbusds:oauth2-oidc-sdk:8.9 and had success on our use scenarios.

Comment From: jzheaux

@rhoughton-pivot, thanks for the suggestion. And thank you for reporting that you were able to manually upgrade.

We won't update major versions of dependencies in maintenance release tracks, so this change would need to go into 5.4 instead of some future 5.3.x. This facilitates more predictable upgrades. For another part, Spring Boot manages some of the same dependencies we use, and they follow a still stricter policy. So, even if we performed such an upgrade, it would get managed away by Boot.

The Nimbus team is actually quite open to backport suggestions, so sometimes a solution is to ask them to apply the change you need to an earlier release. However, in this case, I understand that Nimbus is not able to remove the javax.mail dependency in the 7.x line of releases due to some of it being in their public API.

Since we've got a semi-automated process for updating to the latest Nimbus in our minor releases, I'll go ahead and close this issue. Please feel free to add more detail, though, if you feel I've misunderstood your use case.