- changed status to open
Dependency issues
Issue #327
invalid
Hi,
There seems to be an issue with oauth2-oidc-sdk versions that pull in an incompatible version 9.2 of nimbus-jose-jwt.
I have to explicitly exclude it and include an older version as the sdk depends on the old JsonObject implementation.
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>oauth2-oidc-sdk</artifactId>
<version>8.28.1</version>
<!-- some random issues if a 9.x version happens to be included -->
<exclusions>
<exclusion>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>8.20.1</version>
</dependency>
Comments (10)
-
-
BTW - There was a release today, which bumped the JWT lib to the latest:
version 8.28.3 (2020-12-10) * Fixes TrustChain.resolveCombinedMetadataPolicy (iss #328). * Updates to com.nimbusds:nimbus-jose-jwt:8.20.1
-
reporter
I still get this if I don’t exclude the jwt-lib:
[INFO] +- com.nimbusds:oauth2-oidc-sdk:jar:8.28.3:compile [INFO] | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile [INFO] | +- com.nimbusds:content-type:jar:2.1:compile [INFO] | +- net.minidev:json-smart:jar:2.3:compile [INFO] | | \- net.minidev:accessors-smart:jar:1.2:compile [INFO] | | \- org.ow2.asm:asm:jar:5.0.4:compile [INFO] | +- com.nimbusds:lang-tag:jar:1.4.4:compile [INFO] | \- com.nimbusds:nimbus-jose-jwt:jar:9.1.2:compileI haven’t found anything in the poms to suggest why this is happening, though.
The build also fails in the github pipeline because of
java.lang.NoSuchMethodError: 'net.minidev.json.JSONObject com.nimbusds.jwt.JWTClaimsSet.toJSONObject()' at com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet.<init>(IDTokenClaimsSet.java:238)I can still use the exclusion to avoid it. Still very strange.
-
Good evening,
I’d suggest to print the dependency tree, it will give useful hints.
https://maven.apache.org/plugins/maven-dependency-plugin/examples/resolving-conflicts-using-the-dependency-tree.htmlHere for the SDK it prints:
[INFO] com.nimbusds:oauth2-oidc-sdk:jar:8.28.4-SNAPSHOT [INFO] +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile [INFO] +- com.nimbusds:content-type:jar:2.1:compile [INFO] +- net.minidev:json-smart:jar:2.3:compile [INFO] | \- net.minidev:accessors-smart:jar:1.2:compile [INFO] | \- org.ow2.asm:asm:jar:5.0.4:compile [INFO] +- com.nimbusds:lang-tag:jar:1.4.4:compile [INFO] +- com.nimbusds:nimbus-jose-jwt:jar:8.20.1:compile [INFO] +- com.google.crypto.tink:tink:jar:1.2.2:compile [INFO] | +- com.amazonaws:aws-java-sdk-core:jar:1.11.166:compile [INFO] | | +- software.amazon.ion:ion-java:jar:1.0.2:compile [INFO] | | \- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.6.7:compile [INFO] | +- com.amazonaws:aws-java-sdk-kms:jar:1.11.166:compile [INFO] | | \- com.amazonaws:jmespath-java:jar:1.11.166:compile [INFO] | | \- com.fasterxml.jackson.core:jackson-databind:jar:2.6.7.1:compile [INFO] | | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.6.0:compile [INFO] | +- com.google.api-client:google-api-client:jar:1.22.0:compile [INFO] | | +- com.google.oauth-client:google-oauth-client:jar:1.22.0:compile [INFO] | | | \- com.google.http-client:google-http-client:jar:1.22.0:compile [INFO] | | \- com.google.http-client:google-http-client-jackson2:jar:1.22.0:compile [INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.1.3:compile [INFO] | +- com.google.apis:google-api-services-cloudkms:jar:v1-rev9-1.22.0:compile [INFO] | +- com.google.guava:guava:jar:25.0-jre:compile [INFO] | | +- com.google.code.findbugs:jsr305:jar:1.3.9:compile [INFO] | | +- org.checkerframework:checker-compat-qual:jar:2.0.0:compile [INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.1.3:compile [INFO] | | +- com.google.j2objc:j2objc-annotations:jar:1.1:compile [INFO] | | \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.14:compile [INFO] | +- com.google.auto.service:auto-service:jar:1.0-rc4:compile [INFO] | | \- com.google.auto:auto-common:jar:0.8:compile [INFO] | +- com.google.protobuf:protobuf-java:jar:3.6.0:compile [INFO] | \- org.json:json:jar:20170516:compile [INFO] +- org.bouncycastle:bcprov-jdk15on:jar:1.65:compile [INFO] +- org.bouncycastle:bcpkix-jdk15on:jar:1.65:compile [INFO] +- org.cryptomator:siv-mode:jar:1.3.2:compile [INFO] +- org.opensaml:opensaml-core:jar:3.4.5:compile [INFO] | +- joda-time:joda-time:jar:2.9:compile [INFO] | +- io.dropwizard.metrics:metrics-core:jar:3.1.2:compile [INFO] | +- net.shibboleth.utilities:java-support:jar:7.5.1:compile [INFO] | +- commons-codec:commons-codec:jar:1.10:compile [INFO] | \- org.slf4j:slf4j-api:jar:1.7.25:compile [INFO] +- org.opensaml:opensaml-saml-api:jar:3.4.5:compile [INFO] | +- org.opensaml:opensaml-xmlsec-api:jar:3.4.5:compile [INFO] | | \- org.opensaml:opensaml-security-api:jar:3.4.5:compile [INFO] | +- org.opensaml:opensaml-soap-api:jar:3.4.5:compile [INFO] | +- org.opensaml:opensaml-messaging-api:jar:3.4.5:compile [INFO] | +- org.opensaml:opensaml-profile-api:jar:3.4.5:compile [INFO] | \- org.opensaml:opensaml-storage-api:jar:3.4.5:compile [INFO] +- org.opensaml:opensaml-saml-impl:jar:3.4.5:compile [INFO] | +- org.opensaml:opensaml-security-impl:jar:3.4.5:compile [INFO] | +- org.opensaml:opensaml-xmlsec-impl:jar:3.4.5:compile [INFO] | | +- org.apache.santuario:xmlsec:jar:2.0.10:compile [INFO] | | | \- com.fasterxml.woodstox:woodstox-core:jar:5.0.3:compile [INFO] | | | \- org.codehaus.woodstox:stax2-api:jar:3.1.4:compile [INFO] | | \- org.cryptacular:cryptacular:jar:1.1.3:compile [INFO] | +- org.opensaml:opensaml-soap-impl:jar:3.4.5:compile [INFO] | +- org.apache.velocity:velocity:jar:1.7:compile [INFO] | | +- commons-collections:commons-collections:jar:3.2.1:compile [INFO] | | \- commons-lang:commons-lang:jar:2.4:compile [INFO] | \- org.apache.httpcomponents:httpclient:jar:4.5.3:compile [INFO] | \- org.apache.httpcomponents:httpcore:jar:4.4.6:compile [INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided [INFO] +- junit:junit:jar:4.12:test [INFO] | \- org.hamcrest:hamcrest-core:jar:1.3:test [INFO] +- net.jadler:jadler-all:jar:1.3.0:test [INFO] | +- net.jadler:jadler-core:jar:1.3.0:test [INFO] | | +- org.hamcrest:hamcrest-library:jar:1.3:test [INFO] | | \- commons-io:commons-io:jar:2.4:test [INFO] | +- net.jadler:jadler-jetty:jar:1.3.0:test [INFO] | | +- org.eclipse.jetty:jetty-server:jar:8.1.11.v20130520:test [INFO] | | | +- org.eclipse.jetty:jetty-continuation:jar:8.1.11.v20130520:test [INFO] | | | \- org.eclipse.jetty:jetty-http:jar:8.1.11.v20130520:test [INFO] | | | \- org.eclipse.jetty:jetty-io:jar:8.1.11.v20130520:test [INFO] | | | \- org.eclipse.jetty:jetty-util:jar:8.1.11.v20130520:test [INFO] | | \- org.eclipse.jetty.orbit:javax.servlet:jar:3.0.0.v201112011016:test [INFO] | \- net.jadler:jadler-junit:jar:1.3.0:test [INFO] \- org.apache.commons:commons-math3:jar:3.6.1:test
-
Pardon, I see you are already using the
mvn dependency:tree, looking at the snippet. -
In Intelij (the IDE) I sometimes needed to clear the IDE caches, when getting weird dep problems.
-
Hm, it is odd, because the IDE dep caches and the maven dep resolution should actually be independent.
You may also check is to display the deps in the IDE’s own UI, and see if those match the
maven dependency:tree. As I wrote above, sometime they may get out of sync, though hard to say why. -
reporter
Yes, it is a mystery. No matter where we build it, we get the wrong dependency. Might be some cache somewhere, but not on my local machine, because it gets the same issue when building in the pipeline. But we have the workaround at least.
-
The places where you build it, do they use your Maven repo server (as proxy) which caches Maven Central?
-
- changed status to invalid
I'm going to close this ticket as "invalid" for now.
If the issue is traced back to the SDK - feel free to reopen it.
- Log in to comment
Starting in July with version 8.14 (2020-07-07) the JWT lib dep got locked to 8.18, to avoid picking up new incompatible JWT lib 9.x versions.
Are you getting the dependency issues with 8.28.1?