- changed status to open
Backwards-incompatible nimbus-jose-jwt dependency may be retrieved
Issue #177
resolved
The use of an unbounded upper version range for the nimbus-jose-jwt dependency can cause Maven to pull in a version of that library that may be incompatible with oauth2-oidc-sdk.
In our specific case, we had test code with a dependency on oauth2-oidc-sdk 5.5.1. This had been working fine, but began to fail recently with a NoClassDefFoundError for com/nimbusds/jwt/util/DateUtils after Maven began retrieving nimbus-jose-jwt 4.16.1. Explicitly adding a dependency to nimbus-jose-jwt 4.13.1 resolved the problem for us.
Here's an excerpt from the oauth2-oidc-sdk 5.5.1 POM:
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>[4.11,)</version>
</dependency>
Here's the nimbus-jose-jwt commit in which DateUtils is moved to a different package:
https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/f0aeb018938918175dccee6f1fe0131f08f62beb
Example
Example Java program that attempts to create and sign an ID token:
public class IDTokenExample
{
public static void main(String args[]) throws Exception
{
SecureRandom random = new SecureRandom();
byte[] sharedSecret = new byte[32];
random.nextBytes(sharedSecret);
List<Audience> audiences =
Collections.singletonList(new Audience("client1"));
Date expiration =
new Date(new Date().getTime() +
TimeUnit.MILLISECONDS.convert(15, TimeUnit.MINUTES));
IDTokenClaimsSet claimsSet =
new IDTokenClaimsSet(new Issuer("issuer"), new Subject("subject"),
audiences, expiration, new Date());
SignedJWT idToken =
new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), claimsSet.toJWTClaimsSet());
JWSSigner signer = new MACSigner(sharedSecret);
idToken.sign(signer);
System.out.println(idToken.serialize());
}
}
Dependency on oauth2-oidc-sdk 5.5.1:
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>oauth2-oidc-sdk</artifactId>
<version>5.5.1</version>
</dependency>
Result of running this program:
Exception in thread "main" java.lang.NoClassDefFoundError: com/nimbusds/jwt/util/DateUtils
at com.nimbusds.openid.connect.sdk.claims.ClaimsSet.setDateClaim(ClaimsSet.java:398)
at com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet.<init>(IDTokenClaimsSet.java:190)
at com.example.IDTokenExample.main(IDTokenExample.java:37)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
Caused by: java.lang.ClassNotFoundException: com.nimbusds.jwt.util.DateUtils
at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
... 8 more
Explicitly adding a dependency like the following resolves the above failure:
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>4.13.1</version>
</dependency>
Comments (2)
-
-
- changed status to resolved
Restored in commit 8bc18b2.
The update will be pushed to Maven Central as v4.16.2 in a few minutes (but it may take an hour or so until it becomes available).
happy coding!
- Log in to comment
Thanks for spotting this. Apparently the class has been moved to com.nimbusds.jose.util
We'll put it back.