Spring Security NoSuchMethodError: com.nimbusds.jose.Header.toJSONObject()Ljava/util/Map

Describe the bug When we trying to run our application the metadata load failed with 401 Unauthorized. In the log what we see is: "level":"ERROR","categories":[],"msg":"Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Filter execution threw an exception] with root cause","stacktrace":["java.lang.NoSuchMethodError: com.nimbusds.jose.Header.toJSONObject()Ljava/util/Map;","tat org.springframework.security.oauth2.jwt.NimbusJwtDecoder.createJwt(NimbusJwtDecoder.java:154)","tat org.springframework.security.oauth2.jwt.NimbusJwtDecoder.decode(NimbusJwtDecoder.java:136)",

In our project I upgrade to spring-boot-dependencies: 2.4.0

<spring.boot.version>2.4.0</spring.boot.version>

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-dependencies</artifactId>
    <version>${spring.boot.version}</version>
    <type>pom</type>
    <scope>import</scope>
</dependency>

Now I got a newer nimbus: 9.1.2

\- com.sap.cloud.security.xsuaa:xsuaa-spring-boot-starter:jar:2.7.8:compile
[INFO] |     +- com.sap.cloud.security.xsuaa:spring-xsuaa:jar:2.7.8:compile
[INFO] |     |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile
[INFO] |     |  |  \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile
[INFO] |     |  \- com.sap.cloud.security.xsuaa:api:jar:2.7.8:compile
[INFO] |     +- org.springframework.boot:spring-boot-starter-security:jar:2.4.0:compile
[INFO] |     |  +- org.springframework:spring-aop:jar:5.3.1:compile
[INFO] |     |  |  \- org.springframework:spring-beans:jar:5.3.1:compile
[INFO] |     |  +- org.springframework.security:spring-security-config:jar:5.4.1:compile
[INFO] |     |  \- org.springframework.security:spring-security-web:jar:5.4.1:compile
[INFO] |     |     \- org.springframework:spring-expression:jar:5.3.1:compile
[INFO] |     +- org.springframework.security:spring-security-oauth2-jose:jar:5.4.1:compile
[INFO] |     |  +- com.nimbusds:nimbus-jose-jwt:jar:9.1.2:compile
[INFO] |     |  |  \- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
[INFO] |     |  +- org.springframework.security:spring-security-core:jar:5.4.1:compile
[INFO] |     |  \- org.springframework.security:spring-security-oauth2-core:jar:5.4.1:compile
[INFO] |     \- org.springframework.security:spring-security-oauth2-resource-server:jar:5.4.1:compile

I saw this incident: https://github.com/spring-projects/spring-security/issues/9120 where the com.nimbusds:nimbus-jose-jwt 9.0.1 solved the issue. Should I also use that version?

Best Regards, Laszlo

Comment From: jzheaux

Thanks for the report, @mikolasz.

It seems like something else might be going on since that Nimbus method has been there since 9.0.

I'm not able to reproduce the issue with Spring Boot 2.4.0. Are you able to create a minimal sample of your application that does?

Comment From: mikolasz

Hi Josh,

The problem is the same like https://github.com/SAP/cloud-security-xsuaa-integration/issues/413 Now we solved the issue with the proper version using.

I'm closing this incident.

Best regards, Laszlo