Hi!
When updating from Spring Boot 2.4.2 to Spring Boot 2.4.3 we discovered an undocumented breaking change on the managed version of Nimbus JOSE JWT library.
Spring Boot 2.4.3 contains the following change: https://github.com/spring-projects/spring-boot/issues/25070
This downgrades the library from 9.1.3 to 8.20.2
This is a breaking change as it throws the following NoSuchMethodError on our code base:
Caused by: java.lang.NoSuchMethodError: 'java.util.Map com.nimbusds.jwt.JWTClaimsSet.getJSONObjectClaim(java.lang.String)'
This dependency downgrade is not listed in the release notes: https://github.com/spring-projects/spring-boot/releases/tag/v2.4.3
I saw in the release notes of Spring Boot 2.5.2-M2 that it includes an update to Nimbus JOSE JWT 9.5 See: https://github.com/spring-projects/spring-boot/issues/25249
Comment From: wilkinsona
Thanks for raising this. The change is listed in the release notes but it's not as prominent as we had intended. There's an entry in the list of bug fixes:
Managed versions of oauth2-oidc-sdk and nimbus-jose-jwt are incompatible #25070
I've updated the release notes to add a new entry at the top that describes the changes and suggests using nimbus-jose-jwt.version to move back to 9.x if you need to do so.
Comment From: dkroehan
Thx for updating the release notes :)
The entry in the list of bug fixes helped me to actually find the root cause.
In general I didn't and also wouldn't expect any breaking changes in the list of bug fixes.
Comment From: wilkinsona
In general I didn't and also wouldn't expect any breaking changes in the list of bug fixes
That's an entirely reasonable expectation. Unfortunately, it was impossible to fix the problem without one and, after much consideration, we decided that the change we made was the least bad option. I think this is the first time we've made a breaking change in a maintenance release and we hope that it will also be the last.