I'm getting java.lang.NoSuchMethodError: com.nimbusds.jose.Header.toJSONObject()Ljava/util/Map;, when using spring security 5.4.1 in a SpringBoot project without also pulling in the latest nimbus-jose-jwt (9.0.1) ?

https://github.com/spring-projects/spring-security/blob/366146ff8077dc83441e5a0b4e1f42ba3c02f08e/oauth2/oauth2-jose/src/main/java/org/springframework/security/oauth2/jwt/NimbusJwtDecoder.java#L154

Comment From: jzheaux

Hi, @mattjamison, sorry you are having trouble, happy to help.

Spring Boot 2.3 uses and is tested against Spring Security 5.3. Likewise, Spring Boot 2.4 milestones use and are tested against Spring Security 5.4. You thus may want to wait on upgrading to Spring Security 5.4 until you upgrade to Spring Boot 2.4 when they release.

If there's a feature from Spring Security 5.4 that you need right away, note that Spring Boot does not have a runtime dependency on Nimbus. So, you should be able to manage the dependency yourself, removing it once you upgrade Spring Boot:

<dependency>
    <groupId>com.nimbusds</groupId>
    <artifactId>nimbus-jose-jwt</artifactId>
    <version>9.0.1</version>
</dependency>

In your writing, it sounds like you might be wondering what's happening here. Nimbus released a binary-incompatible change in their 9.0 release by widening the return type of toJSONObject, meaning that Spring Security 5.4 will complain when run against Nimbus 8.x or earlier. Since Spring Boot 2.3 manages nimbus-jose-jwt to 8.19, the Spring Boot 2.3 and Spring Security 5.4 defaults aren't compatible.

The Spring Boot samples in the Spring Security repo are passing in the build. So if the above suggestion does not work, please consider sharing a minimal sample that reproduces the issue and we can take a look at that together.

Comment From: mattjamison

This makes total sense, I just naively thought there might be a dependency that needed to be updated somewhere. I did pull in the dep myself and that worked great. Thanks for the detailed explanation!

Comment From: amergey

spring-security-oauth2-client has a dependence to oauth2-oidc-sdk which itself depends of nimbus-jose-jwt 8. (https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues/313/upgrade-nimbus-jose-jwt-to-v9) I am wondering if this set of inconsistent dependencies could lead to some issues.

Comment From: jzheaux

@amergey, I think that this is something good to take up with the Nimbus team. There is currently a PR to upgrade oauth2-oidc-sdk to the latest nimbus-jose-jwt.

Spring Security will continue to try and take the latest of both as this is ideal from a security perspective.