1. connect2id Avatar connect2id
  2. OAuth
  3. OAuth 2.0 SDK with OpenID Connect extensions
  4. Issues

Dependency convergence failed for nimbus-jose-jwt in spring-security

Issue #441 resolved
Steve Riesenberg created an issue

Spring Security depends on oauth2-oidc-sdk and nimbus-jose-jwt. oauth2-oidc-sdk recently downgraded versions. Unfortunately, Spring Security had already upgraded both libraries. Is there a way to get the 9.43.x line of oauth2-oidc-sdk back up to nimbus-jose-jwt version 9.31? We would like to avoid downgrading ourselves since we provide nimbus-jose-jwt as a transitive dependency of spring-security-oauth2-jose. See #13843 for background.

Comments (3)

  1. Yavor Vasilev
    • changed status to open

    I believe the downgrade in May was made in response to a request by Josh Cummings from Spring Security.

    The most recent stable JWT lib is 9.35. Let us know if you'd prefer 9.35 instead (recommended).

  2. Steve Riesenberg reporter

    Thanks for the update Yavor. I’ve spoken with Josh and for now, we will revert to nimbus-jose-jwt:9.24.4 as we should not have taken the update for oauth2-oidc-sdk:9.43.2 and instead waited for 9.43.3.

  4. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Milestone
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!