SpringBoot Managed versions of oauth2-oidc-sdk and nimbus-jose-jwt are incompatible

Spring: 2.4.2 Caused by: java.lang.ClassCastException: com.nimbusds.jose.shaded.json.JSONObject cannot be cast to net.minidev.json.JSONObject

<oauth2-oidc-sdk.version>8.23.1</oauth2-oidc-sdk.version>
<nimbus-jose-jwt.version>9.1.3</nimbus-jose-jwt.version>

nimbus-jose-jwt:

public Map<String, Object> toJSONObject() {
    return toJSONObject(false);
}

oauth2-oidc-sdk:

public IDTokenClaimsSet(final JWTClaimsSet jwtClaimsSet) throws ParseException {
    this(jwtClaimsSet.toJSONObject());
}

There is no constructor for IDTokenClaimsSet with Map

Comment From: blommish

Also mentioned here https://stackoverflow.com/questions/65012506/spring-boot-migration-from-2-3-6-release-to-2-4-0-and-json-classcastexception

Comment From: wilkinsona

Thanks, @blommish.

We're using 9.x of nimbus-jose-jwt as that's the version used by Spring Security 5.4. We've drifted out of alignment a little as Spring Security 5.4.2 uses com.nimbusds:nimbus-jose-jwt:9.1.3 and com.nimbusds:oauth2-oidc-sdk:8.28.1 by default while our dependency management in 2.4.2 provides com.nimbusds:nimbus-jose-jwt:9.1.3 and com.nimbusds:oauth2-oidc-sdk:8.23.1. We could upgrade to 8.28.1 of the OIDC SDK but I don't think this will help as the incompatibility still appears to be present.

Our dependency management of nimbus-jose-jwt and oauth2-oidc-sdk is for Spring Security's purposes so there may be cases when Spring Security isn't involved that the versions need to be overridden. That said, oauth2-oidc-sdk:8.28.1 depends on nimbus-jose-jwt:8.18 so it does seem a little odd to me that Spring Security is overriding the version of nimbus-jose-jwt to a new and incompatible major version. I'll ask the Security team to take a look.

@blommish you haven't said how you're using the dependencies. To help us fully understand your use case, could you please provide a small sample that reproduces the ClassCastException? You can share it with us by zipping it up and attaching it to this issue or by pushing it to a separate repository on GitHub.

Comment From: blommish

Thanks for looking into this.

I see. We have another dependency, for security, which validates tokens. This repository however overrides the dependency versions, but I had hoped that i wouldn't need to override this to get things to work, then something else might stop working.

<nimbus.jose.jwt.version>8.20.1</nimbus.jose.jwt.version>
<oauth2-oidc-sdk.version>8.36</oauth2-oidc-sdk.version> 

https://github.com/navikt/token-support/blob/master/token-validation-core/src/main/java/no/nav/security/token/support/core/validation/DefaultJwtTokenValidator.java#L46 This calls validate in IDTokenValidator in com.nimbusds.openid.connect.sdk.validators

public void assertValidToken(String tokenString, String expectedNonce) throws JwtTokenValidatorException {
        JWT token = null;
        try {
            token = JWTParser.parse(tokenString);
            get(token).validate(token, expectedNonce != null ? new Nonce(expectedNonce) : null);
        } catch (Throwable t) {
            throw new JwtTokenValidatorException("Token validation failed", expiryDate(token), t);
        }
    }

Comment From: wilkinsona

I had hoped that i wouldn't need to override this to get things to work, then something else might stop working

I can't help you with that as I don't have the whole picture here. Are you using Spring Security in your application? If not, you should be able to use whichever versions of the OIDC SDK and Nimbus JOSE JWT meet your needs.

Comment From: blommish

I see. We are not, so I guess I just have to override it then. Thanks!

Comment From: wilkinsona

Let's keep this open while we discuss things with the Spring Security team. Depending on what they decide to do about their incompatible dependencies, we may need to make some changes in Boot.

Comment From: wilkinsona

Spring Security has downgraded to Nimbus JOSE JWT 8.x in 5.4.3. We should do the same to restore compatibility. 5.4.3 is scheduled for 12 February so we should make this change in 2.4.3 which is scheduled for 18 February.

Comment From: blommish

Very nice, thanks!

Comment From: wilkinsona

The downgrade in Spring Security didn't work and it's now compiling against 9.5. I've opened https://github.com/spring-projects/spring-security/pull/9453. We'll have to wait for another Security release.