Summary

This is a nitpick, quality-of-life issue regarding the new opaque token introspection support in spring-security-oauth2-resource-server. This support uses com.nimbusds:oauth2-oidc-sdk, which is declared as an optional dependency.

My (minor) problem is that the version of com.nimbusds:oauth2-oidc-sdk is not managed anywhere by spring (either by the spring-security-bom, or by spring-boot-dependencies).

Therefore, in my nice, pristine, spring boot application, where I typically rely on managed versions from spring-boot-dependencies, which imports the spring-security-bom), I have to explicitly specify the version of com.nimbusds:oauth2-oidc-sdk that my app uses. And I have to make sure to keep it in sync with whatever version spring-security-oauth2-resource-server is compiled against.

I'm concerned that the two will become out of sync in the future. i.e. spring-security-oauth2-resource-server will bump the version of com.nimbusds:oauth2-oidc-sdk, and I'll upgrade my app to use the latest spring-boot/spring-security, but I'll have to also remember to update the version of com.nimbusds:oauth2-oidc-sdk as well.

Would it be possible for spring to manage the version of com.nimbusds:oauth2-oidc-sdk somewhere? either in spring-boot-dependencies or spring-security-bom ?

Actual Behavior

Version of com.nimbusds:oauth2-oidc-sdk not managed by spring. Have to manually specify version of com.nimbusds:oauth2-oidc-sdk used. Which might become out of sync when spring-boot/spring-security is upgraded

Expected Behavior

Do not have to explicitly specify version of com.nimbusds:oauth2-oidc-sdk in spring boot applications that use spring-security-oauth2-resource-server.

The same version that spring-security-oauth2-resource-server depends on is automatically used by applications at runtime.

Version

5.2.0.RC1

Comment From: philsttr

Dependency management of oauth2-oidc-sdk was added to spring boot via https://github.com/spring-projects/spring-boot/issues/20974