Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Managed versions of oauth2-oidc-sdk and nimbus-jose-jwt are incompatible #25070

Closed
blommish opened this issue Feb 1, 2021 · 9 comments
Closed
Labels
status: noteworthy A noteworthy issue to call out in the release notes type: bug A general bug
Milestone

Comments

@blommish
Copy link

blommish commented Feb 1, 2021

Spring: 2.4.2
Caused by: java.lang.ClassCastException: com.nimbusds.jose.shaded.json.JSONObject cannot be cast to net.minidev.json.JSONObject

<oauth2-oidc-sdk.version>8.23.1</oauth2-oidc-sdk.version>
<nimbus-jose-jwt.version>9.1.3</nimbus-jose-jwt.version>

nimbus-jose-jwt:

public Map<String, Object> toJSONObject() {
	return toJSONObject(false);
}

oauth2-oidc-sdk:

public IDTokenClaimsSet(final JWTClaimsSet jwtClaimsSet) throws ParseException {
	this(jwtClaimsSet.toJSONObject());
}

There is no constructor for IDTokenClaimsSet with Map<String, Object>

@blommish
Copy link
Author

blommish commented Feb 1, 2021

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Feb 1, 2021
@wilkinsona
Copy link
Member

Thanks, @blommish.

We're using 9.x of nimbus-jose-jwt as that's the version used by Spring Security 5.4. We've drifted out of alignment a little as Spring Security 5.4.2 uses com.nimbusds:nimbus-jose-jwt:9.1.3 and com.nimbusds:oauth2-oidc-sdk:8.28.1 by default while our dependency management in 2.4.2 provides com.nimbusds:nimbus-jose-jwt:9.1.3 and com.nimbusds:oauth2-oidc-sdk:8.23.1. We could upgrade to 8.28.1 of the OIDC SDK but I don't think this will help as the incompatibility still appears to be present.

Our dependency management of nimbus-jose-jwt and oauth2-oidc-sdk is for Spring Security's purposes so there may be cases when Spring Security isn't involved that the versions need to be overridden. That said, oauth2-oidc-sdk:8.28.1 depends on nimbus-jose-jwt:8.18 so it does seem a little odd to me that Spring Security is overriding the version of nimbus-jose-jwt to a new and incompatible major version. I'll ask the Security team to take a look.

@blommish you haven't said how you're using the dependencies. To help us fully understand your use case, could you please provide a small sample that reproduces the ClassCastException? You can share it with us by zipping it up and attaching it to this issue or by pushing it to a separate repository on GitHub.

@wilkinsona wilkinsona added the status: waiting-for-feedback We need additional information before we can continue label Feb 1, 2021
@blommish
Copy link
Author

blommish commented Feb 1, 2021

Thanks for looking into this.

I see.
We have another dependency, for security, which validates tokens. This repository however overrides the dependency versions, but I had hoped that i wouldn't need to override this to get things to work, then something else might stop working.

<nimbus.jose.jwt.version>8.20.1</nimbus.jose.jwt.version>
<oauth2-oidc-sdk.version>8.36</oauth2-oidc-sdk.version> 

https://github.com/navikt/token-support/blob/master/token-validation-core/src/main/java/no/nav/security/token/support/core/validation/DefaultJwtTokenValidator.java#L46
This calls validate in IDTokenValidator in com.nimbusds.openid.connect.sdk.validators

public void assertValidToken(String tokenString, String expectedNonce) throws JwtTokenValidatorException {
        JWT token = null;
        try {
            token = JWTParser.parse(tokenString);
            get(token).validate(token, expectedNonce != null ? new Nonce(expectedNonce) : null);
        } catch (Throwable t) {
            throw new JwtTokenValidatorException("Token validation failed", expiryDate(token), t);
        }
    }

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Feb 1, 2021
@wilkinsona
Copy link
Member

I had hoped that i wouldn't need to override this to get things to work, then something else might stop working

I can't help you with that as I don't have the whole picture here. Are you using Spring Security in your application? If not, you should be able to use whichever versions of the OIDC SDK and Nimbus JOSE JWT meet your needs.

@blommish
Copy link
Author

blommish commented Feb 1, 2021

I see. We are not, so I guess I just have to override it then. Thanks!

@blommish blommish closed this as completed Feb 1, 2021
@wilkinsona
Copy link
Member

Let's keep this open while we discuss things with the Spring Security team. Depending on what they decide to do about their incompatible dependencies, we may need to make some changes in Boot.

@wilkinsona wilkinsona reopened this Feb 1, 2021
@wilkinsona wilkinsona removed the status: feedback-provided Feedback has been provided label Feb 1, 2021
@wilkinsona wilkinsona changed the title Bug report: Spring 2.4.2 - Versions of oauth2-oidc-sdk and nimbus-jose-jwt not compatible Managed versions of oauth2-oidc-sdk and nimbus-jose-jwt are incompatible Feb 1, 2021
@wilkinsona wilkinsona added type: bug A general bug status: on-hold We can't start working on this issue yet and removed status: waiting-for-triage An issue we've not yet triaged labels Feb 1, 2021
@wilkinsona wilkinsona added this to the 2.4.x milestone Feb 1, 2021
@wilkinsona
Copy link
Member

wilkinsona commented Feb 4, 2021

Spring Security has downgraded to Nimbus JOSE JWT 8.x in 5.4.3. We should do the same to restore compatibility. 5.4.3 is scheduled for 12 February so we should make this change in 2.4.3 which is scheduled for 18 February.

@wilkinsona wilkinsona added status: noteworthy A noteworthy issue to call out in the release notes and removed status: on-hold We can't start working on this issue yet labels Feb 4, 2021
@wilkinsona wilkinsona modified the milestones: 2.4.x, 2.4.3 Feb 4, 2021
@blommish
Copy link
Author

blommish commented Feb 5, 2021

Very nice, thanks!

@wilkinsona
Copy link
Member

The downgrade in Spring Security didn't work and it's now compiling against 9.5. I've opened spring-projects/spring-security#9453. We'll have to wait for another Security release.

@wilkinsona wilkinsona modified the milestones: 2.4.3, 2.4.x Feb 12, 2021
@wilkinsona wilkinsona added the status: blocked An issue that's blocked on an external project change label Feb 12, 2021
@wilkinsona wilkinsona modified the milestones: 2.4.x, 2.4.3 Feb 17, 2021
@wilkinsona wilkinsona removed the status: blocked An issue that's blocked on an external project change label Feb 18, 2021
This was referenced Mar 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: noteworthy A noteworthy issue to call out in the release notes type: bug A general bug
Projects
None yet
Development

No branches or pull requests

3 participants