Consider removing com.nimbusds:oauth2-oidc-sdk dependency

[jgrandja]

We should strongly consider removing the com.nimbusds:oauth2-oidc-sdk dependency as it has caused a number of issues over the years ever since we added it's usage in the OAuth2 support.

The root issue is the result of the out-of-sync release process used for the oauth2-oidc-sdk and nimbus-jose-jwt artifacts. Since oauth2-oidc-sdk depends on nimbus-jose-jwt, it's important to keep the versions of these artifacts in sync - only if oauth2-oidc-sdk is being used. However, there are cases where this poses to be a challenge, when artifacts are unexpectedly downgraded as described in this comment. As a result, we're also forced to downgrade versions to prevent dependency convergence, and this is not ideal as we should always strive to be using the latest versions as a best practice.

The support overhead that com.nimbusds:oauth2-oidc-sdk dependency has added over the years has outweighed the value of reuse of the library, so I recommend we remove the use of the library altogether and only depend on com.nimbusds:nimbus-jose-jwt and ensure we're always on the latest version.

We are currently using com.nimbusds:oauth2-oidc-sdk in the following classes:

• OAuth2ErrorResponseErrorHandler
• ClientRegistrations
• DefaultReactiveOAuth2UserService
• OAuth2AccessTokenResponseBodyExtractor
• NimbusOpaqueTokenIntrospector
• NimbusReactiveOpaqueTokenIntrospector

After reviewing the code in the above classes, I believe updating the code with our own implementation would be minimal effort and it ultimately would save us from any further support overhead.

Related gh-13843, gh-13990

[jzheaux]

The OpaqueTokenIntrospector classes can be deprecated at this point I think. We kept them around for a while in case folks needed the Nimbus support, but now there's a Nimbus-free implementation for both servlet and reactive.

[xak2000]

I'll add my 5 cents.

The mentioned unexpected downgrade of nimbus-jose-jwt from 9.31 to 9.24.4 actually caused problems in our project as our code was already dependent on some methods, added in 9.26. For instance, RSAKey.Builder.notBeforeTime and RSAKey.Builder.expirationTime. After upgrading to spring-security 6.1.5, these methods disappeared. :)

The downgrade made in com.nimbusds:oauth2-oidc-sdk:9.43.3 was initiated by a request from @jzheaux according to the comment. It's interesting what was the reason...

The author of oauth2-oidc-sdk himself recommends to use a latest version of nimbus-jose-jwt, so this downgrade was really unexpected to me.

I'm also not sure that com.nimbusds:oauth2-oidc-sdk is really depends on specific features of version 9.24.4 of nimbus-jose-jwt. Probably it will work with later versions of nimbus-jose-jwt just fine. The specific version was just latest at the moment of the release. So, the dependency convergence problem is somewhat artificial.

Maybe it's worth to upgrade to the latest version of com.nimbusds:oauth2-oidc-sdk first to have a more recent version of nimbus-jose-jwt? I mean, removing the oauth2-oidc-sdk dependency will help, but probably implementing this task will not be fast.

Is there any particular reason why com.nimbusds:oauth2-oidc-sdk should be of version 9.43.3?

[nmck257]

Hi - has this received any thought lately?
I'm observing that the nimbus-jose-jwt dependency is still on 9.37.3, from Dec 2023; there are ~11 new minor versions (and a major version) available. I expect that the coupling with oauth2-oidc-sdk is the main barrier.
Not sure if the timeline is too snug for Spring Security 6.5.0, but, maybe a decision could be reached and slotted for an upcoming release?

[jgrandja]

@nmck257 Thanks for bringing this up and putting it back on my radar. It's definitely not going to make it into 6.5 but now is a good time to figure out the go forward strategy for the 7.0 release cycle. I assigned this to the 7.0.x milestone and will take care of this soon.