Currently, Spring Security selects the latest oauth2-oidc-sdk and nimbus-jose-jwt dependencies. This can create issues when those dependencies are out of sync, though, and recently created a larger issue due to a 6-month gap between the nimbus-jose-jwt major and the oauth2-oidc-sdk major.
Changing the dependency constraints to selecting the compatible majors for these two dependencies will ensure that there are no major incompatibilities between the two.