Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Managed versions of oauth2-oidc-sdk and nimbus-jose-jwt are incompatible #25070

Closed
blommish opened this issue Feb 1, 2021 · 9 comments
Closed

Managed versions of oauth2-oidc-sdk and nimbus-jose-jwt are incompatible #25070

blommish opened this issue Feb 1, 2021 · 9 comments

Comments

@blommish
Copy link

@blommish blommish commented Feb 1, 2021

Spring: 2.4.2
Caused by: java.lang.ClassCastException: com.nimbusds.jose.shaded.json.JSONObject cannot be cast to net.minidev.json.JSONObject

<oauth2-oidc-sdk.version>8.23.1</oauth2-oidc-sdk.version>
<nimbus-jose-jwt.version>9.1.3</nimbus-jose-jwt.version>

nimbus-jose-jwt:

public Map<String, Object> toJSONObject() {
	return toJSONObject(false);
}

oauth2-oidc-sdk:

public IDTokenClaimsSet(final JWTClaimsSet jwtClaimsSet) throws ParseException {
	this(jwtClaimsSet.toJSONObject());
}

There is no constructor for IDTokenClaimsSet with Map<String, Object>

@wilkinsona
Copy link
Member

@wilkinsona wilkinsona commented Feb 1, 2021

Thanks, @blommish.

We're using 9.x of nimbus-jose-jwt as that's the version used by Spring Security 5.4. We've drifted out of alignment a little as Spring Security 5.4.2 uses com.nimbusds:nimbus-jose-jwt:9.1.3 and com.nimbusds:oauth2-oidc-sdk:8.28.1 by default while our dependency management in 2.4.2 provides com.nimbusds:nimbus-jose-jwt:9.1.3 and com.nimbusds:oauth2-oidc-sdk:8.23.1. We could upgrade to 8.28.1 of the OIDC SDK but I don't think this will help as the incompatibility still appears to be present.

Our dependency management of nimbus-jose-jwt and oauth2-oidc-sdk is for Spring Security's purposes so there may be cases when Spring Security isn't involved that the versions need to be overridden. That said, oauth2-oidc-sdk:8.28.1 depends on nimbus-jose-jwt:8.18 so it does seem a little odd to me that Spring Security is overriding the version of nimbus-jose-jwt to a new and incompatible major version. I'll ask the Security team to take a look.

@blommish you haven't said how you're using the dependencies. To help us fully understand your use case, could you please provide a small sample that reproduces the ClassCastException? You can share it with us by zipping it up and attaching it to this issue or by pushing it to a separate repository on GitHub.

@blommish
Copy link
Author

@blommish blommish commented Feb 1, 2021

Thanks for looking into this.

I see.
We have another dependency, for security, which validates tokens. This repository however overrides the dependency versions, but I had hoped that i wouldn't need to override this to get things to work, then something else might stop working.

<nimbus.jose.jwt.version>8.20.1</nimbus.jose.jwt.version>
<oauth2-oidc-sdk.version>8.36</oauth2-oidc-sdk.version> 

https://github.com/navikt/token-support/blob/master/token-validation-core/src/main/java/no/nav/security/token/support/core/validation/DefaultJwtTokenValidator.java#L46
This calls validate in IDTokenValidator in com.nimbusds.openid.connect.sdk.validators

public void assertValidToken(String tokenString, String expectedNonce) throws JwtTokenValidatorException {
        JWT token = null;
        try {
            token = JWTParser.parse(tokenString);
            get(token).validate(token, expectedNonce != null ? new Nonce(expectedNonce) : null);
        } catch (Throwable t) {
            throw new JwtTokenValidatorException("Token validation failed", expiryDate(token), t);
        }
    }
@wilkinsona
Copy link
Member

@wilkinsona wilkinsona commented Feb 1, 2021

I had hoped that i wouldn't need to override this to get things to work, then something else might stop working

I can't help you with that as I don't have the whole picture here. Are you using Spring Security in your application? If not, you should be able to use whichever versions of the OIDC SDK and Nimbus JOSE JWT meet your needs.

@blommish
Copy link
Author

@blommish blommish commented Feb 1, 2021

I see. We are not, so I guess I just have to override it then. Thanks!

@blommish blommish closed this Feb 1, 2021
@wilkinsona
Copy link
Member

@wilkinsona wilkinsona commented Feb 1, 2021

Let's keep this open while we discuss things with the Spring Security team. Depending on what they decide to do about their incompatible dependencies, we may need to make some changes in Boot.

@wilkinsona wilkinsona reopened this Feb 1, 2021
@wilkinsona wilkinsona changed the title Bug report: Spring 2.4.2 - Versions of oauth2-oidc-sdk and nimbus-jose-jwt not compatible Managed versions of oauth2-oidc-sdk and nimbus-jose-jwt are incompatible Feb 1, 2021
@wilkinsona wilkinsona added this to the 2.4.x milestone Feb 1, 2021
@wilkinsona
Copy link
Member

@wilkinsona wilkinsona commented Feb 4, 2021

Spring Security has downgraded to Nimbus JOSE JWT 8.x in 5.4.3. We should do the same to restore compatibility. 5.4.3 is scheduled for 12 February so we should make this change in 2.4.3 which is scheduled for 18 February.

@blommish
Copy link
Author

@blommish blommish commented Feb 5, 2021

Very nice, thanks!

@wilkinsona
Copy link
Member

@wilkinsona wilkinsona commented Feb 12, 2021

The downgrade in Spring Security didn't work and it's now compiling against 9.5. I've opened spring-projects/spring-security#9453. We'll have to wait for another Security release.

@wilkinsona wilkinsona modified the milestones: 2.4.3, 2.4.x Feb 12, 2021
@wilkinsona wilkinsona modified the milestones: 2.4.x, 2.4.3 Feb 17, 2021
This was referenced Mar 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants