oauth2-oidc-sdk has version ranges in the published pom which leads to various issues. This breaks start.spring.io's metadata verification tests so I've reported the problem.
It would be nice if Spring Security would upgrade to this version so that we're not affected by the resolution of version ranges anymore.
Comment From: jgrandja
@snicoll There is a backwards compatibility issue with version 7.0 which I fixed in #7994. I'm not sure if the same issue exists in 7.0.3. Is there a reason you would like us to upgrade to the 7.x line?
Comment From: snicoll
The fix for the issue I mentioned is only available in the 7.x line as far as I can see.
Comment From: chenrujun
Hi, @jzheaux . (cc: @snicoll )
You set oauth2-oidc-sdk's version to latest.release in your commit, but in spring-boot-dependencies, the version is 7.1.1, it may cause version conflict problem, such as ClassNotFound / NoSuchMethod.
So can we do like this:
- Set version of oauth2-oidc-sdk to
7.1.1, same to the version in spring-boot-dependencies. - Add all all spring-security external dependencies' version to spring-boot-dependencies, and use spring-boot-dependencies to manage external dependencies' version for spring-security?
Comment From: chenrujun
Hi, @snicoll
I see you updated the nimbus-jose-jwt's version to 9.0.1.
Could you please use spring-boot-dependencies for spring-security instead of manage by dependency-management.gradle ?
So we can have uniformed version for spring apps.
Comment From: jzheaux
@chenrujun thanks for reaching out and spending some time thinking about this.
Since Boot always releases after Security, it would be tricky to base Security's dependency versions on the ones that Boot is using. That said, I agree that it's important that the two products work well together. Note that Spring Security builds with Boot-based samples to verify compatibility.
As for your own project, any dependencies Spring Boot manages take precedence in your Spring Boot application, so you should be able to look to spring-boot-dependencies for a definitive answer.
That said, note that Spring Security 5.4.0 released with oauth2-oidc-sdk:8.19.1 and nimbus-jose-jwt:9.0. As you noted, Spring Boot 2.4.0-M3 is already using these same minor versions.
Nimbus is a bit of a special case since they release with each PR merge and don't have a stated support policy for major or minor versions. This is why Spring Security uses latest.release to ensure it's able to get Nimbus's security patches and bug fixes.
Comment From: chenrujun
@jzheaux .
I got it. Thank you very much for your detailed explanation.