Dependency convergence failed: nimbus-jose-jwt

[matsev]

Dependency convergence conflict for com.nimbusds:nimbus-jose-jwt using Spring Boot version 3.1.3 / Spring Security version 6.1.3

Step by step:

1. Copy the following pom.xml file:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>3.1.3</version>
        <relativePath/>
    </parent>

    <groupId>com.example.test</groupId>
    <artifactId>dependency-convergence</artifactId>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-oauth2-client</artifactId>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-enforcer-plugin</artifactId>
                <executions>
                    <execution>
                        <id>enforce</id>
                        <goals>
                            <goal>enforce</goal>
                        </goals>
                        <phase>validate</phase>
                        <configuration>
                            <rules>
                                <DependencyConvergence/>
                            </rules>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>

2. Execute mvn validate

Expected result
The dependencies should converge, i.e. every (transitive) dependency should have exactly one version specified.

Actual result
Two different versions of the nimbus-jose-jwt are imported transitively:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.3.0:enforce (enforce) on project dependency-convergence: 
[ERROR] Rule 0: org.apache.maven.enforcer.rules.dependency.DependencyConvergence failed with message:
[ERROR] Failed while enforcing releasability.
[ERROR] 
[ERROR] Dependency convergence error for com.nimbusds:nimbus-jose-jwt:jar:9.24.4 paths to dependency are:
[ERROR] +-com.example.test:dependency-convergence:jar:3.1.3
[ERROR]   +-org.springframework.boot:spring-boot-starter-oauth2-client:jar:3.1.3:compile
[ERROR]     +-org.springframework.security:spring-security-oauth2-client:jar:6.1.3:compile
[ERROR]       +-com.nimbusds:oauth2-oidc-sdk:jar:9.43.3:compile
[ERROR]         +-com.nimbusds:nimbus-jose-jwt:jar:9.24.4:compile
[ERROR] and
[ERROR] +-com.example.test:dependency-convergence:jar:3.1.3
[ERROR]   +-org.springframework.boot:spring-boot-starter-oauth2-client:jar:3.1.3:compile
[ERROR]     +-org.springframework.security:spring-security-oauth2-jose:jar:6.1.3:compile
[ERROR]       +-com.nimbusds:nimbus-jose-jwt:jar:9.31:compile

[matsev]

Originally reported at spring-projects/spring-boot#37437, but cross reported here after this comment from @wilkinsona

[matsev]

Probably related to #13333

[wilkinsona]

Note that the problem can be reproduced without involving Boot:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.example.test</groupId>
    <artifactId>dependency-convergence</artifactId>
    <version>0.0.1</version>

    <dependencies>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-client</artifactId>
            <version>6.1.3</version>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-jose</artifactId>
            <version>6.1.3</version>
        </dependency>
    </dependencies>

    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-enforcer-plugin</artifactId>
                <version>3.0.0</version>
                <executions>
                    <execution>
                        <id>enforce</id>
                        <goals>
                            <goal>enforce</goal>
                        </goals>
                        <phase>validate</phase>
                        <configuration>
                            <rules>
                                <DependencyConvergence/>
                            </rules>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>

[INFO] --- maven-enforcer-plugin:3.0.0:enforce (enforce) @ dependency-convergence ---
[WARNING] 
Dependency convergence error for io.micrometer:micrometer-observation:jar:1.10.10:compile paths to dependency are:
+-com.example.test:dependency-convergence:jar:0.0.1
  +-org.springframework.security:spring-security-oauth2-client:jar:6.1.3:compile
    +-org.springframework.security:spring-security-core:jar:6.1.3:compile
      +-io.micrometer:micrometer-observation:jar:1.10.10:compile
and
+-com.example.test:dependency-convergence:jar:0.0.1
  +-org.springframework.security:spring-security-oauth2-client:jar:6.1.3:compile
    +-org.springframework.security:spring-security-oauth2-core:jar:6.1.3:compile
      +-org.springframework:spring-web:jar:6.0.11:compile
        +-io.micrometer:micrometer-observation:jar:1.10.9:compile

[WARNING] 
Dependency convergence error for com.nimbusds:nimbus-jose-jwt:jar:9.24.4:compile paths to dependency are:
+-com.example.test:dependency-convergence:jar:0.0.1
  +-org.springframework.security:spring-security-oauth2-client:jar:6.1.3:compile
    +-com.nimbusds:oauth2-oidc-sdk:jar:9.43.3:compile
      +-com.nimbusds:nimbus-jose-jwt:jar:9.24.4:compile
and
+-com.example.test:dependency-convergence:jar:0.0.1
  +-org.springframework.security:spring-security-oauth2-jose:jar:6.1.3:compile
    +-com.nimbusds:nimbus-jose-jwt:jar:9.31:compile

There's an additional problem here with micrometer-observation that Boot's dependency management addresses. I think that's a reasonable role for Boot to play as the problem is across multiple projects (Spring Framework and Spring Security). The problem with nimbus-jose-jwt is different as it's two modules within the same project that cannot agree upon the version of a transitive dependency.

[sjohnr]

Thanks for reporting this @matsev, and thanks for the additional info @wilkinsona.

I opened gh-13333 for this, but wasn't clear on what happened to get us to this point. With some research, I now see what happened. Our dependency management updates are designed to keep the version of oauth2-oidc-sdk and nimbus-jose-jwt versioned together for consistency, which is challenging due to that project's particular versioning scheme.

When we updated to com.nimbusds:oauth2-oidc-sdk version 9.43.2, it updated nimbus-jose-jwt to the version that library depends on, which is com.nimbusds:nimbus-jose-jwt:9.31.

However, in the very next release of com.nimbusds:oauth2-oidc-sdk, which is 9.43.3, they downgraded (went back) to com.nimbusds:nimbus-jose-jwt:9.24.4.

So I believe we need to simply apply the same downgrade ourselves. Anything you folks see that I'm missing?

[matsev]

@sjohnr I am sorry, I don't have much to add to this issue. I was just surprised when I discovered the conflicting versions after we added Spring Boot Oauth2 Starter as a dependency to our project. We do not plan to implement any Oauth2 logic ourselves so we are happy as long as the Oauth2 abstractions provided by Spring Boot / Spring Security works as expected.

That said, perhaps there is a better way? Questions:

• Is com.nimbusds providing a Maven bom file (I guess not, since this issue surfaced)?
• Maybe connect2id has a compatibility matrix for their products (I looked at the nimbus-oauth-openid-connect-sdk and the nimbus-jose-jwt product pages, but there was none)?
• Perhaps you can reach out to support@connect2id.com and ask for advice (I found this email address at the bottom of the readme at the oauth2-oidc-sdk repository? There is also a page with issue tracking, maybe one can submit new tickets there if one signs up?
• Also noticing that the oauth2-oidc-sdk project has released two more major versions (10.x and 11.x), would it be feasible to upgrade (or perhaps that would cause breaking changes to spring-security-oauth2-client, prompting for a major version bump of it as well)?
• The nimbus-jose-jwt package on the other hand has only minor version updates, the 9.35 being the latest one, maybe that solves the problem?

[sjohnr]

I've opened an issue on the connect2id issue tracker.

[ThomasKasene]

Another question:
Would it make any sense for Spring Security's build pipeline to have something like the Maven dependency plugin's DependencyConvergence rule in order to discover these kinds of issues before a release? 😄

I'm no Gradle expert, but it seems like there's an available alternative for Gradle too.

[philwebb]

@sjohnr Any thoughts about #13843 (comment) and adding something to prevent future convergence?

[sjohnr]

@philwebb @ThomasKasene thanks for the input! Yes, I agree and I've opened gh-13990 to address this.

[rhanton]

This is now causing my dependency checker to light up about https://nvd.nist.gov/vuln/detail/CVE-2023-52428 guys. I like the idea of #14245 as well.