Projects using Maven and spring-security-oauth2-client end up with a downgraded version of json-smart that isn't compatible with the managed version of json-path

[ninjacoda]

There is a clash over the transitive dependency on json-smart between spring-security-oauth2-client:5.3.3 and spring-boot-starter-test:2.3.1. The issue was addressed in spring-security-oauth2-client, but spring-boot-dependencies is still causing this to clash.

As this is now an issue with the dependency declaration in spring-boot-dependencies, and because the corresponding ticket has already been closed in spring-security, I'll reopen it here with updated Spring version numbers. (Not sure which ticket queue it should be on.)

Full details are here: spring-projects/spring-security#8608 (comment)

[INFO] +- org.springframework.security:spring-security-oauth2-client:jar:5.3.3.RELEASE:compile
[INFO] |  +- com.nimbusds:oauth2-oidc-sdk:jar:7.1.1:compile (version managed from 7.5)
[INFO] |  |  +- net.minidev:json-smart:jar:1.3.1:compile

Version 1.3.1 doesn't seem to support JSON Path (sufficiently).
Version 2.3 isn't pulled in because of spring-boot-dependenciesimporting an older version of com.nimbusds:oauth2-oidc-sdk:

[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.3.1.RELEASE:test
[INFO] |  +- (org.springframework.boot:spring-boot-starter:jar:2.3.1.RELEASE:test - omitted for duplicate)
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] |  |  +- (net.minidev:json-smart:jar:2.3:test - omitted for conflict with 1.3.1)

Can com.nimbusds:oauth2-oidc-sdk be updated to 7.5 (or 7.+, as in spring-security-oauth2-client)?

		management "com.nimbusds:nimbus-jose-jwt:8.+"
		management "com.nimbusds:oauth2-oidc-sdk:7.+" 

[ninjacoda]

NB: Declaring dependency management in my own POM lets me work around the issue - but it seems that two Spring projects shouldn't really quarrel over their dependencies like this... 😇

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>net.minidev</groupId>
        <artifactId>json-smart</artifactId>
        <version>[2.3,3.0)</version>
      </dependency>
    </dependencies>
  </dependencyManagement>

[wilkinsona]

Thanks for the report. We won't move to a new minor version of a dependency in a maintenance release of Spring Boot so upgrading to oauth2-oidc-sdk 7.5 isn't an option until Boot 2.4. While Spring Security now uses oauth2-oidc-sdk 7.5 by default, it remains compatible with 7.1 so there isn't a "quarrel" here.

The problem's really due to Maven's version conflict resolution. When faced with multiple different versions of a dependency, it resolves the conflict by selecting the version that's nearest to the root of the dependency graph. In this case that is 1.3.1. If you were using Gradle you would not see the problem as it resolves version conflicts by selecting the latest version so you'd end up with 2.3.

We can consider adding some dependency management for json-smart. We've done similar in the past for transitive dependencies to help Maven to do the right thing. In the meantime, adding your own dependency management as you have shown above is a good solution.