Dependency convergence on nimbus-jose-jwt

[ThomasKasene]

When I use spring-boot-starter 2.3.3.RELEASE as my project's parent and include org.springframework.boot:spring-boot-starter-oauth2-client:2.3.3.RELEASE as a dependency, my dependencyConvergence rule goes bananas over the version of com.nimbusds:nimbus-jose-jwt:

[INFO] --- maven-enforcer-plugin:3.0.0-M3:enforce (default) @ my-project ---
[WARNING]
Dependency convergence error for com.nimbusds:nimbus-jose-jwt:8.8 paths to dependency are:
+-my.project:my-project:1.0-SNAPSHOT
  +-org.springframework.boot:spring-boot-starter-oauth2-client:2.3.3.RELEASE
    +-org.springframework.security:spring-security-oauth2-client:5.3.4.RELEASE
      +-com.nimbusds:oauth2-oidc-sdk:7.1.1
        +-com.nimbusds:nimbus-jose-jwt:8.8
and
+-my.project:my-project:1.0-SNAPSHOT
  +-org.springframework.boot:spring-boot-starter-oauth2-client:2.3.3.RELEASE
    +-org.springframework.security:spring-security-oauth2-jose:5.3.4.RELEASE
      +-com.nimbusds:nimbus-jose-jwt:8.19

I've been looking around for a bit, and noticed Spring Boot is behind on the com.nimbusds:oauth2-oidc-sdk så I bumped it up to 8.18 using the oauth2-oidc-sdk.version-property, but still the same issue:

[INFO] --- maven-enforcer-plugin:3.0.0-M3:enforce (default) @ my-project ---
[WARNING]
Dependency convergence error for com.nimbusds:nimbus-jose-jwt:8.18 paths to dependency are:
+-my.project:my-project:1.0-SNAPSHOT
  +-org.springframework.boot:spring-boot-starter-oauth2-client:2.3.3.RELEASE
    +-org.springframework.security:spring-security-oauth2-client:5.3.4.RELEASE
      +-com.nimbusds:oauth2-oidc-sdk:8.18
        +-com.nimbusds:nimbus-jose-jwt:8.18
and
+-my.project:my-project:1.0-SNAPSHOT
  +-org.springframework.boot:spring-boot-starter-oauth2-client:2.3.3.RELEASE
    +-org.springframework.security:spring-security-oauth2-jose:5.3.4.RELEASE
      +-com.nimbusds:nimbus-jose-jwt:8.19

Another attempt with oauth2-oidc-sdk.version = 8.19:

[INFO] --- maven-enforcer-plugin:3.0.0-M3:enforce (default) @ my-project ---
[WARNING]
Dependency convergence error for com.nimbusds:nimbus-jose-jwt:8.18 paths to dependency are:
+-my.project:my-project:1.0-SNAPSHOT
  +-org.springframework.boot:spring-boot-starter-oauth2-client:2.3.3.RELEASE
    +-org.springframework.security:spring-security-oauth2-client:5.3.4.RELEASE
      +-com.nimbusds:oauth2-oidc-sdk:8.19
        +-com.nimbusds:nimbus-jose-jwt:8.18
and
+-my.project:my-project:1.0-SNAPSHOT
  +-org.springframework.boot:spring-boot-starter-oauth2-client:2.3.3.RELEASE
    +-org.springframework.security:spring-security-oauth2-jose:5.3.4.RELEASE
      +-com.nimbusds:nimbus-jose-jwt:8.19

My point here is really just to show that Spring Security tries to use the most updated version of that artifact, while oauth2-oidc-sdk does not (always), effectively making the two artifacts oauth2-oidc-sdk and nimbus-jose-jwt two separate things.

So my question is - would it make sense to add com.nimbusds:nimbus-jose-jwt to Spring Boot's dependency management with its own version property?

I could give it a shot if the team deems it a good idea.

[wilkinsona]

Thanks for reporting the problem.

Given the rapid release schedule of the OIDC SDK (they went from 7.0 to 7.5 between February and May and from 8.0 to 8.19 between April and July), it feels like we should make an exception to our usual policy and upgrade from 7.5 to 8.x in Spring Boot 2.4. This would improve things here, but still wouldn't entirely resolve the problem as there's no guarantee that the versions will converge. Some dependency management for nimbus-jose-jwt will fix that and I think it would be a reasonable addition in a 2.3.x maintenance release. A pull request that adds it would be much appreciated.

I've opened #22951 to consider moving to 8.x in Boot 2.4.

[ThomasKasene]

Thanks for your response!

I'll give it a shot. Do you think I should give oauth2-oidc-sdk a bump too while I'm at it, or do we fix that in a separate PR?

Also, do you have a hunch what the managed version for nimbus-jose-jwt should be for the 2.3.x branch? I've listed a few possibly relevant version pairings below:

oauth2-oidc-sdk	nimbus-jose-jwt
7.1.1	8.8
7.4	8.14.1

Where 7.4 seems to be the last 7.x release. Alternatively, I can just set it to 8.20 which is the latest nimbus-jose-jwt release at the time of writing.

[philwebb]

Closing in favor of PR #22996. Thanks @ThomasKasene!