Spring security 5.1.x override dependency com.nimbusds:oauth2-oidc-sdk version.

[Incarnation-p-lee]

When web application leverage spring boot 2.1.x (5.1.x spring security) with azure active directory boot starter, the spring security 5.1.x may override dependency com.nimbusds:oauth2-oidc-sdk from 5.64.4 to 6.0. This 6.0 new version changed the interface API.

azure active directory boot starter depends on AAD java libray, it leverage version 5.64.4. So below override with API change may result in CastException when auth. Details see this issue.

So there is one workaround for this issue like specific 5.64.4 explicitly for com.nimbusds:oauth2-oidc-sdk when users depends on spring boot 2.1.x. But it is difficult to make sure that is there any other risk with this workaround.

Is there any other better solution for this problem, or is there any way to measure the impact with the workaround ? Thanks in advance. Your professional advice is very important to us.

[jzheaux]

@Incarnation-p-lee I've just run our integration suite against 5.64.4 to check and all tests pass.

I don't see anything in the 6.x part of Nimbus's change log that Spring Security 5.1.x uses, though @jgrandja may see something I didn't. While Spring Security does use the classes listed as having breaking changes, like AuthorizationRequest, it doesn't use the constructors and methods whose contracts break.

That said, we don't support or regularly build against Nimbus 5.x so compatibility is likely a happy coincidence.

[Incarnation-p-lee]

@jzheaux
Thanks for you checking and quickly feedback. From you integration test result, the workaround with explicit version for nimbus package may have minor impact or risk, right ?
Thanks again for you information about breaking changes, it may save much time for many developers.

I double checked the dependency graph and list the layout FYI. The version changes from 5.57 to 6.0.

Spring Boot 2.0.1.RELEASE

[INFO] +- org.springframework.security:spring-security-oauth2-client:jar:5.0.4.RELEASE:compile
[INFO] |  +- com.nimbusds:oauth2-oidc-sdk:jar:5.57:compile   <==
[INFO] |  |  +- javax.mail:mail:jar:1.4.7:compile
[INFO] |  |  |  \- javax.activation:activation:jar:1.1:compile
[INFO] |  |  +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
[INFO] |  |  +- net.minidev:json-smart:jar:2.3:compile (version selected from constraint [1.3.1,2.3])
[INFO] |  |  |  \- net.minidev:accessors-smart:jar:1.2:compile
[INFO] |  |  |     \- org.ow2.asm:asm:jar:5.0.4:compile
[INFO] |  |  \- com.nimbusds:lang-tag:jar:1.4.4:compile (version selected from constraint [1.4.3,))
[INFO] |  +- org.springframework.security:spring-security-oauth2-core:jar:5.0.4.RELEASE:compile
[INFO] |  \- org.springframework:spring-core:jar:5.0.5.RELEASE:compile
[INFO] |     \- org.springframework:spring-jcl:jar:5.0.5.RELEASE:compile

Spring Boot 2.1.0 RELEASE.

[INFO] +- org.springframework.security:spring-security-oauth2-client:jar:5.1.1.RELEASE:compile
[INFO] |  +- com.nimbusds:oauth2-oidc-sdk:jar:6.0:compile   <==
[INFO] |  |  +- com.sun.mail:javax.mail:jar:1.6.2:compile
[INFO] |  |  |  \- javax.activation:activation:jar:1.1:compile
[INFO] |  |  +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
[INFO] |  |  +- net.minidev:json-smart:jar:2.3:compile (version selected from constraint [1.3.1,2.3])
[INFO] |  |  |  \- net.minidev:accessors-smart:jar:1.2:compile
[INFO] |  |  |     \- org.ow2.asm:asm:jar:5.0.4:compile
[INFO] |  |  \- com.nimbusds:lang-tag:jar:1.4.4:compile (version selected from constraint [1.4.3,))
[INFO] |  +- org.springframework.security:spring-security-oauth2-core:jar:5.1.1.RELEASE:compile

[jgrandja]

@Incarnation-p-lee The 2 options you have is to either explicitly have developers declare the com.nimbusds:oauth2-oidc-sdk:5.64.4 and therefore override Spring Security version from 6.0 (this option is not ideal for the developer) OR the AAD java library upgrades to 6.x. This makes the most sense since the upgrade to Spring Security 5.1 should also align with the dependencies that Spring Security 5.1 uses which is com.nimbusds:oauth2-oidc-sdk:6.0. Is this not a possible option on your end?

Either way, we cannot downgrade from the current 6.0 version. I'm going to close this issue but if you feel we need to discuss other options than we can re-open to discuss further.

[jzheaux]

@Incarnation-p-lee The impact appears to be minor, yes.

Agreed with @jgrandja that the ideal would, of course, be that the AAD library gets upgraded.

[Incarnation-p-lee]

Thanks @jgrandja and @jzheaux for you professional advice. We may co-work with AAD java library for this conflict first, or override the version on depends.
Thanks again for your help.

[Incarnation-p-lee]

@jzheaux
May I ask one question about the best practice for session stateless configuration of spring security ? When generate/obtain the id_token, how can I return this id_token to user agent ? Http response header or cookies of browser ?
And when browser get this id_token, where should I store it for next request ?
Thanks in advance, this issue troubled me for a while these days.

[jzheaux]

Deciding where to store the id_token follows the same principle as other secure pieces of information. Remember that, if obtained, a malicious user could impersonate an honest user.

Best practice is to keep the tokens on the server-side and maintain a session. The server is much better at keeping secrets than the client. Spring Security can do a lot of this for you out of the box.

To be honest, though, I'm not completely clear on your scenario and why storing it server-side won't work.

StackOverflow is our preferred support platform. Would you mind providing some more detail in maybe a StackOverflow question?

[Incarnation-p-lee]

@jzheaux
Agree. I mean session work well, just personal interest about the session stateless part. I can search that first. Thanks a lot.