Spring Security Spring Security 5.8.x / Cannot authenticate with JWT containg duplicated keys in a payload

Describe the bug After upgrading to 5.8.2 it is impossible anymore to authenticate with JWT containing duplicated keys in a payload.

We're aware that having duplicated keys in JSON makes no sense however as JWT is something we don't control because it is provided by external provider we should still be able to authenticate with this valid from json specification point of view token.

We believe that issue is connected to the change in nimbus-jose-jwt library which in 2.94 replaced JSON smart with GSon.

The issue is in JSONObjectUtils#parser() method:

com.nimbusds.jose.shaded.gson.JsonSyntaxException: duplicate key: sub
    at com.nimbusds.jose.shaded.gson.internal.bind.MapTypeAdapterFactory$Adapter.read(MapTypeAdapterFactory.java:189)
    at com.nimbusds.jose.shaded.gson.internal.bind.MapTypeAdapterFactory$Adapter.read(MapTypeAdapterFactory.java:144)
    at com.nimbusds.jose.shaded.gson.Gson.fromJson(Gson.java:1058)
    at com.nimbusds.jose.shaded.gson.Gson.fromJson(Gson.java:1016)
    at com.nimbusds.jose.shaded.gson.Gson.fromJson(Gson.java:959)
    at com.nimbusds.jose.util.JSONObjectUtils.parse(JSONObjectUtils.java:124)
    at com.nimbusds.jose.util.JSONObjectUtils.parse(JSONObjectUtils.java:83)
    at com.nimbusds.jose.Payload.toJSONObject(Payload.java:356)
    at com.nimbusds.jwt.SignedJWT.getJWTClaimsSet(SignedJWT.java:95)
    at com.nimbusds.jwt.proc.DefaultJWTProcessor.extractJWTClaimsSet(DefaultJWTProcessor.java:259)
    at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:352)
    at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:303)
    at org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder.createClaimsSet(NimbusReactiveJwtDecoder.java:260)
    [...]

Expected behavior It is possible again to authenticate with JWT containing duplicated keys in payload.

Comment From: sjohnr

@lde-avaleo, are you able to override the version of nimbus-jose-jwt in dependency management?

Comment From: lde-avaleo

@sjohnr, after downgrading nimbus-jose-jwt to 9.23 it seems to work. However now we have security vulnerability CVE-2023-1370 reported for json-smart...

Comment From: sjohnr

Sorry to hear that, @lde-avaleo. I'd recommend reaching out to the team that maintains the nimbus-jose-jwt library about this. I believe you can do so here.

I'm going to close this issue for now, as I'm not sure there's anything on the Spring Security side to do, but feel free to let me know if you have any additional thoughts or updates. We can always re-open if needed.