Nimbus JOSE JWT downgrade is a breaking change in Spring Boot 2.4.3

[dkroehan]

Hi!

When updating from Spring Boot 2.4.2 to Spring Boot 2.4.3 we discovered an undocumented breaking change on the managed version of Nimbus JOSE JWT library.

Spring Boot 2.4.3 contains the following change: #25070

This downgrades the library from 9.1.3 to 8.20.2

This is a breaking change as it throws the following NoSuchMethodError on our code base:

Caused by: java.lang.NoSuchMethodError: 'java.util.Map com.nimbusds.jwt.JWTClaimsSet.getJSONObjectClaim(java.lang.String)'

This dependency downgrade is not listed in the release notes: https://github.com/spring-projects/spring-boot/releases/tag/v2.4.3

I saw in the release notes of Spring Boot 2.5.2-M2 that it includes an update to Nimbus JOSE JWT 9.5
See: #25249

[wilkinsona]

Thanks for raising this. The change is listed in the release notes but it's not as prominent as we had intended. There's an entry in the list of bug fixes:

Managed versions of oauth2-oidc-sdk and nimbus-jose-jwt are incompatible #25070

I've updated the release notes to add a new entry at the top that describes the changes and suggests using nimbus-jose-jwt.version to move back to 9.x if you need to do so.

[dkroehan]

Thx for updating the release notes :)

The entry in the list of bug fixes helped me to actually find the root cause.

In general I didn't and also wouldn't expect any breaking changes in the list of bug fixes.

[wilkinsona]

In general I didn't and also wouldn't expect any breaking changes in the list of bug fixes

That's an entirely reasonable expectation. Unfortunately, it was impossible to fix the problem without one and, after much consideration, we decided that the change we made was the least bad option. I think this is the first time we've made a breaking change in a maintenance release and we hope that it will also be the last.