Azure-sdk-for-java: [BUG] Version problem about nimbus-jose-jwt in azure-active-directory-spring-boot-starter

Constructor signature in v8.9 - public DefaultJWKSetCache(final long lifespan, final TimeUnit timeUnit)

Constructor signature in v8.10 and beyond - public DefaultJWKSetCache(final long lifespan, final long refreshTime, final TimeUnit timeUnit)

Thanks for filing this issue and providing this feedback @azuroff. Someone from the azure-spring team will follow up shortly.

/cc @jialindai

Hi, @azuroff .

Could you please set nimbus-jose-jwt's version from v8.9 to v7.9 in your pom?
Because we are using nimbus-jose-jwt v7.9

azure-active-directory-spring-boot-starter - 2.3.3 has already released, we can not change nimbus-jose-jwt's version.

Maybe in the future, we will update nimbus-jose-jwt's version.

This issue is similar to https://github.com/Azure/azure-sdk-for-java/issues/14898

Adding the following fragment in your pom can solve the problem:

<dependency>
  <groupId>com.nimbusds</groupId>
  <artifactId>nimbus-jose-jwt</artifactId>
  <version>7.9</version>
</dependency>

I'm following this tutorial - https://docs.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory - which mentions adding the following as dependencies:

<dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-oauth2-client</artifactId>
</dependency>
<dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-oauth2-jose</artifactId>
</dependency>

It's the latest version (5.3.4.RELEASE) of spring-security-oauth2-jose that contains the conflicting version (8.19) of the nimbus-jose-jwt library. Maybe the tutorial should include a specific version of the library (5.3.2.RELEASE looks like it would work), but that's probably some other department that writes those...

Hi, @azuroff ,

Thank you for your detailed description.
Now we have released new version (azure-active-directory-spring-boot-starter - 2.3.5).
Use new version may solve your problem.
Please check. 🙏

Well, since the line causing the problem hasn't changed in 2.3.5, I suspect the new version will have the same issue.

Hi, @azuroff .

This problem is caused by oauth2-oidc-sdk:

• https://github.com/Azure/azure-sdk-for-java/issues/14898#issuecomment-693221228

The root cause of this problem is oauth2-oidc-sdk used version ranges instead of explicit dependencies,
and the problem have been solved in oauth2-oidc-sdk-7.0.3.

The latest version of azure-keyvault-secrets-spring-boot-starter (2.3.5) already use oauth2-oidc-sdk-7.1.1:

So the problem does not exist if we use azure-keyvault-secrets-spring-boot-starter-2.3.5.

Could you please have a try?

Hi, @azuroff .

Did you test azure-active-directory-spring-boot-starter - 2.3.5 in your project?
If there is no other question, I'll close it few day later.

The problem isn't with oauth2-oidc-sdk-7.1.1.

The problem is with later versions of spring-security-oauth2-jose that are listed in the tutorial (the tutorial doesn't specify a version). This package includes a dependency on a newer version of nimbus-jose-jwt that breaks your code because the constructor for the DefaultJWKSetCache class changed - as I pointed out above.

I'll run through the tutorial again tomorrow with a clean project and version 2.3.5, but I'm not expecting it to work.

Hi, @azuroff .

Thank you for your detailed explanation.

I'll run through the tutorial again tomorrow with a clean project and version 2.3.5

Please specify the version manually, seems the project created by spring initializer will use version 2.3.3.

If your problem still exists, please share your pom. 🙏

FYI: We are trying to update azure-active-directory-spring-boot-starter's version to 2.3.5 on Spring initializer: https://github.com/spring-io/start.spring.io/issues/534 ,

I'm experiencing the same issue using

<parent>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-parent</artifactId>
  <version>2.3.4.RELEASE</version>
  <relativePath/> <!-- lookup parent from repository -->
</parent>
<dependency>
  <groupId>com.microsoft.azure</groupId>
  <artifactId>azure-active-directory-spring-boot-starter</artifactId>
  <version>2.3.5</version>
</dependency>

As already mentioned, adding

<dependency>
  <groupId>com.nimbusds</groupId>
  <artifactId>nimbus-jose-jwt</artifactId>
  <version>7.9</version>
</dependency>

resolves the issue.

Hi, @tschmidt01 ,
Thank you for reaching out.

I think if you change spring-boot-starter-parent's version from 2.3.4.RELEASE to 2.3.3.RELEASE will solve your problem.

Here is the detail information:

pom(spring-boot-starter-parent-2.3.3.RELEASE)(azure.version=2.3.5).xml.txt

pom(spring-boot-starter-parent-2.3.3.RELEASE)(azure.version=2.3.5).xml.txt

Currently, our azure-active-directory-spring-boot-starter not fit spring-boot-2.3.4 well.

I create a issue to fix it: https://github.com/Azure/azure-sdk-for-java/issues/15666

I am facing the same problem and have following questions, since #15666 was closed about 2 weeks ago.

1) when is the next release planned? I have a hard time figuring that out in this repo.
2) is there a way to verify the fix with some release candidate or snapshot including fix? In case the next release is not anytime soon

Hi, @DRoppelt ,

when is the next release planned? I have a hard time figuring that out in this repo.

Currently, not sure.

is there a way to verify the fix with some release candidate or snapshot including fix? In case the next release is not anytime soon

azure-active-directory-spring-boot-starter:2.3.5 already fixed the problem, please use it.

if you are using spring-boot-starter-parent:2.3.4, you use write like this:

<dependency>
  <groupId>com.microsoft.azure</groupId>
  <artifactId>azure-active-directory-spring-boot-starter</artifactId>
  <version>2.3.5</version>
</dependency>

not

<dependency>
  <groupId>com.microsoft.azure</groupId>
  <artifactId>azure-active-directory-spring-boot-starter</artifactId>
</dependency>

<version> can not be skipped.

I cannot confirm that it is fixed with azure-active-directory-spring-boot-starter:2.3.5

2.3.5 of that module still uses:

<dependency>
      <groupId>com.nimbusds</groupId>
      <artifactId>nimbus-jose-jwt</artifactId>
      <version>7.9</version>
</dependency>

I have attached a sample to reproduce this error: spring boot 2.3.5 + AAD starter 2.3.5
demo.zip

Based on this: https://start.spring.io/#!type=maven-project&language=java&platformVersion=2.3.5.RELEASE&packaging=jar&jvmVersion=11&groupId=com.example&artifactId=demo&name=demo&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.demo&dependencies=web,actuator,azure-active-directory

Added following to produce this error:
application.properties:

azure.activedirectory.session-stateless=true
azure.activedirectory.client-id=xxxxxxx

Executing mvn test will lead to the error.

This is the change that fixes it: https://github.com/Azure/azure-sdk-for-java/pull/15671/files#diff-bcfb49d18189176138f006deabde7a4362c16181b6eea91a03aa06bc75ed1727R112

Hi, @DRoppelt , Thank you for your quick response.

Here is the screenshot about your demo's dependency:

After add the following fragment in the pom:

      <groupId>com.nimbusds</groupId>
      <artifactId>nimbus-jose-jwt</artifactId>
      <version>7.9</version>

Then dependency will be like this:

Then mvn test will pass.

So please add the following fragment in you pom:

      <groupId>com.nimbusds</groupId>
      <artifactId>nimbus-jose-jwt</artifactId>
      <version>7.9</version>

@chenrujun

yes that fixes it as a workaround, thank you.

is there a way to verify the fix with some release candidate or snapshot including fix? In case the next release is not anytime soon

azure-active-directory-spring-boot-starter:2.3.5 already fixed the problem, please use it.

That sounded like it was already fixed with 2.3.5 without a workaround, but I misunderstood.

@DRoppelt

yes that fixes it as a workaround, thank you.

You are welcome.

That sounded like it was already fixed with 2.3.5 without a workaround, but I misunderstood.

Sorry for making you confused.
If you are using spring-boot:2.3.3 with azure-active-directory-spring-boot-starter:2.3.5, then no problem.

But if you are using spring-boot:2.3.4( or 2.3.5), then you should use that workaround. Because spring-boot-dependencies managed nimbus-jose-jwt's version since 2.3.4.

Refs:

• https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.3.3.RELEASE/spring-boot-dependencies-2.3.3.RELEASE.pom
• https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.3.4.RELEASE/spring-boot-dependencies-2.3.4.RELEASE.pom
• https://repo.maven.apache.org/maven2/org/springframework/boot/spring-boot-dependencies/2.3.5.RELEASE/spring-boot-dependencies-2.3.5.RELEASE.pom

I think the problem with AADAuthenticationFilterAutoConfiguration#getJWKSetCache () can be solved with the following snippet.
We have also confirmed that this fix works for the application.

 @Bean
 @ConditionalOnMissingBean(JWKSetCache.class)
 public JWKSetCache getJWKSetCache () {
     return new DefaultJWKSetCache (aadAuthProps.getJwkSetCacheLifespan(),
             aadAuthProps.getJwkSetCacheLifespan(), TimeUnit.MILLISECONDS);
 }

However, the second argument of DefaultJWKSetCache determines the refresh cycle of the token.
Having the same value of cache life and refresh timing may cause another problem.

For this reason, I think the aadAuthProps will need a new Long value to determine the cache refresh cycle.

The issue pointed out earlier has been reported in another issue microsoft/azure-spring-boot#802
This issue may resolved by adding one property named like as "jwkSetCacheRefleshSpan" to AADAuthenticationFilterAutoConfiguration.

@talesleaves

I think the problem with AADAuthenticationFilterAutoConfiguration#getJWKSetCache () can be solved with the following snippet.

Already did that in latest master branch:

https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAuthenticationFilterAutoConfiguration.java#L109

This issue may resolved by adding one property named like as "jwkSetCacheRefleshSpan" to AADAuthenticationFilterAutoConfiguration.

Thank you for your suggestion.
Issue created: https://github.com/Azure/azure-sdk-for-java/issues/17567

@chenrujun

Already did that in latest master branch:

https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAuthenticationFilterAutoConfiguration.java#L109

I am glad that it is helpful.

Also, for users:
If you want to use a newer version of spring-boot-starter before this update takes effect, add the following snippet to your any configuration:

@Autowired
private AADAuthenticationProperties aadAuthProps;
//other configs...

@Bean
public JWKSetCache getJWKSetCache () {
    long lifeSpan = aadAuthProps.getJwkSetCacheLifespan();
    return new DefaultJWKSetCache (lifeSpan, lifeSpan, TimeUnit.MILLISECONDS);
}

This is the same behavior as nimbus-jose-jwt <8.10.
However, it is desirable that the second argument be slightly smaller than the first argument, as it can cause other problems as pointed out earlier.

I hope you find it useful.

@talesleaves , Thank you very much for your suggestion for users. 👍

@chenrujun , It was my pleasure.

@chenrujun

Since you have closed this issue, was there a release that fixed this without one of the two workarounds?

@DRoppelt , OK, I'll reopen this issue, and close it until next release.

We released azure-spring-boot-starter-active-directory:3.0.0, so I'll close this issue.

using com.microsoft.azure:azure-active-directory-spring-boot-starter:2.3.2
upgrading spring boot version from 2.2.8.RELEASE to 2.3.1.RELEASE cause this to happen
updating to com.microsoft.azure:azure-active-directory-spring-boot-starter:2.3.5 did not help

adding blow dependency management helped resolve the issue

dependencyManagement {
    imports {
        mavenBom 'com.microsoft.azure:azure-spring-boot-bom:2.2.1'
    }
}