Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Version problem about nimbus-jose-jwt in azure-active-directory-spring-boot-starter #15180

Closed
3 tasks done
azuroff opened this issue Sep 14, 2020 · 31 comments
Closed
3 tasks done
Assignees
Labels
azure-spring All azure-spring related issues azure-spring-aad Spring active directory related issues. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@azuroff
Copy link

azuroff commented Sep 14, 2020

Describe the bug
When starting up an app with the azure-active-directory-spring-boot-starter, it fails with an error about calling a method that does not exist.

Exception or Stack Trace

***************************
APPLICATION FAILED TO START
***************************

Description:

An attempt was made to call a method that does not exist. The attempt was made from the following location:

    com.microsoft.azure.spring.autoconfigure.aad.AADAuthenticationFilterAutoConfiguration.getJWKSetCache(AADAuthenticationFilterAutoConfiguration.java:101)

The following method did not exist:

    com/nimbusds/jose/jwk/source/DefaultJWKSetCache.<init>(JLjava/util/concurrent/TimeUnit;)V

The method's class, com.nimbusds.jose.jwk.source.DefaultJWKSetCache, is available from the following locations:

    jar:file:/Users/azuroff/.m2/repository/com/nimbusds/nimbus-jose-jwt/8.13/nimbus-jose-jwt-8.13.jar!/com/nimbusds/jose/jwk/source/DefaultJWKSetCache.class

The class hierarchy was loaded from the following locations:

    com.nimbusds.jose.jwk.source.DefaultJWKSetCache: file:/Users/azuroff/.m2/repository/com/nimbusds/nimbus-jose-jwt/8.13/nimbus-jose-jwt-8.13.jar


Action:

Correct the classpath of your application so that it contains a single, compatible version of com.nimbusds.jose.jwk.source.DefaultJWKSetCache

To Reproduce
Steps to reproduce the behavior:

Include the azure-active-directory-spring-boot-starter and a version of nimbus-jose-jwt greater than 8.9. The constructor being called was changed in version 8.10.

Code Snippet
Add the code snippet that causes the issue.

N/A - internal library code

Expected behavior
A clear and concise description of what you expected to happen.

The app should start up without errors.

Screenshots
If applicable, add screenshots to help explain your problem.

Setup (please complete the following information):

  • OS: [e.g. iOS] - MacOS Catalina 10.15.6
  • IDE : [e.g. IntelliJ] - IntelliJ IDEA 2020.2.1
  • Version of the Library used

azure-active-directory-spring-boot-starter - 2.3.3
nimbus-jose-jwt - > 8.9

Additional context
Add any other context about the problem here.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Bug Description Added
  • Repro Steps Added
  • Setup information Added
@ghost ghost added needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Sep 14, 2020
@azuroff azuroff changed the title [BUG] AADAuthenticationFilterAutoConfiguration calling no-longer-available constructor in DefaultJWKSetCache [BUG] AADAuthenticationFilterAutoConfiguration calls no-longer-available constructor in DefaultJWKSetCache Sep 14, 2020
@azuroff
Copy link
Author

azuroff commented Sep 14, 2020

Constructor signature in v8.9 - public DefaultJWKSetCache(final long lifespan, final TimeUnit timeUnit)

Constructor signature in v8.10 and beyond - public DefaultJWKSetCache(final long lifespan, final long refreshTime, final TimeUnit timeUnit)

@joshfree joshfree added azure-spring All azure-spring related issues azure-spring-aad Spring active directory related issues. labels Sep 14, 2020
@ghost ghost removed the needs-triage Workflow: This is a new issue that needs to be triaged to the appropriate team. label Sep 14, 2020
@joshfree
Copy link
Member

Thanks for filing this issue and providing this feedback @azuroff. Someone from the azure-spring team will follow up shortly.

/cc @jialindai

@chenrujun chenrujun self-assigned this Sep 15, 2020
@chenrujun chenrujun changed the title [BUG] AADAuthenticationFilterAutoConfiguration calls no-longer-available constructor in DefaultJWKSetCache [BUG] Version problem about nimbus-jose-jwt Sep 15, 2020
@chenrujun
Copy link

Hi, @azuroff .

Could you please set nimbus-jose-jwt's version from v8.9 to v7.9 in your pom?
Because we are using nimbus-jose-jwt v7.9

azure-active-directory-spring-boot-starter - 2.3.3 has already released, we can not change nimbus-jose-jwt's version.

Maybe in the future, we will update nimbus-jose-jwt's version.

@chenrujun
Copy link

This issue is similar to #14898

Adding the following fragment in your pom can solve the problem:

<dependency>
  <groupId>com.nimbusds</groupId>
  <artifactId>nimbus-jose-jwt</artifactId>
  <version>7.9</version>
</dependency>

@azuroff
Copy link
Author

azuroff commented Sep 15, 2020

I'm following this tutorial - https://docs.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory - which mentions adding the following as dependencies:

<dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-oauth2-client</artifactId>
</dependency>
<dependency>
   <groupId>org.springframework.security</groupId>
   <artifactId>spring-security-oauth2-jose</artifactId>
</dependency>

It's the latest version (5.3.4.RELEASE) of spring-security-oauth2-jose that contains the conflicting version (8.19) of the nimbus-jose-jwt library. Maybe the tutorial should include a specific version of the library (5.3.2.RELEASE looks like it would work), but that's probably some other department that writes those...

@chenrujun
Copy link

chenrujun commented Sep 17, 2020

Hi, @azuroff ,

Thank you for your detailed description.
Now we have released new version (azure-active-directory-spring-boot-starter - 2.3.5).
Use new version may solve your problem.
Please check. 🙏

@azuroff
Copy link
Author

azuroff commented Sep 18, 2020

Well, since the line causing the problem hasn't changed in 2.3.5, I suspect the new version will have the same issue.

@chenrujun
Copy link

Hi, @azuroff .

This problem is caused by oauth2-oidc-sdk:

The root cause of this problem is oauth2-oidc-sdk used version ranges instead of explicit dependencies,
and the problem have been solved in oauth2-oidc-sdk-7.0.3.

The latest version of azure-keyvault-secrets-spring-boot-starter (2.3.5) already use oauth2-oidc-sdk-7.1.1:

So the problem does not exist if we use azure-keyvault-secrets-spring-boot-starter-2.3.5.

Could you please have a try?

@chenrujun
Copy link

Hi, @azuroff .

Did you test azure-active-directory-spring-boot-starter - 2.3.5 in your project?
If there is no other question, I'll close it few day later.

@azuroff
Copy link
Author

azuroff commented Sep 24, 2020

The problem isn't with oauth2-oidc-sdk-7.1.1.

The problem is with later versions of spring-security-oauth2-jose that are listed in the tutorial (the tutorial doesn't specify a version). This package includes a dependency on a newer version of nimbus-jose-jwt that breaks your code because the constructor for the DefaultJWKSetCache class changed - as I pointed out above.

I'll run through the tutorial again tomorrow with a clean project and version 2.3.5, but I'm not expecting it to work.

@chenrujun
Copy link

Hi, @azuroff .

Thank you for your detailed explanation.

I'll run through the tutorial again tomorrow with a clean project and version 2.3.5

Please specify the version manually, seems the project created by spring initializer will use version 2.3.3.

If your problem still exists, please share your pom. 🙏

@chenrujun
Copy link

FYI: We are trying to update azure-active-directory-spring-boot-starter's version to 2.3.5 on Spring initializer: spring-io/start.spring.io#534 ,

@tschmidt01
Copy link

tschmidt01 commented Sep 25, 2020

I'm experiencing the same issue using

<parent>
  <groupId>org.springframework.boot</groupId>
  <artifactId>spring-boot-starter-parent</artifactId>
  <version>2.3.4.RELEASE</version>
  <relativePath/> <!-- lookup parent from repository -->
</parent>
<dependency>
  <groupId>com.microsoft.azure</groupId>
  <artifactId>azure-active-directory-spring-boot-starter</artifactId>
  <version>2.3.5</version>
</dependency>

As already mentioned, adding

<dependency>
  <groupId>com.nimbusds</groupId>
  <artifactId>nimbus-jose-jwt</artifactId>
  <version>7.9</version>
</dependency>

resolves the issue.

@chenrujun
Copy link

Hi, @tschmidt01 ,
Thank you for reaching out.

I think if you change spring-boot-starter-parent's version from 2.3.4.RELEASE to 2.3.3.RELEASE will solve your problem.


Here is the detail information:

pom(spring-boot-starter-parent-2.3.3.RELEASE)(azure.version=2.3.5).xml.txt

image


pom(spring-boot-starter-parent-2.3.3.RELEASE)(azure.version=2.3.5).xml.txt

image


Currently, our azure-active-directory-spring-boot-starter not fit spring-boot-2.3.4 well.

I create a issue to fix it: #15666

@chenrujun chenrujun changed the title [BUG] Version problem about nimbus-jose-jwt [BUG] Version problem about nimbus-jose-jwt in azure-active-directory-spring-boot-starter Sep 25, 2020
@DRoppelt
Copy link

DRoppelt commented Nov 3, 2020

I am facing the same problem and have following questions, since #15666 was closed about 2 weeks ago.

  1. when is the next release planned? I have a hard time figuring that out in this repo.
  2. is there a way to verify the fix with some release candidate or snapshot including fix? In case the next release is not anytime soon

@chenrujun
Copy link

Hi, @DRoppelt ,

when is the next release planned? I have a hard time figuring that out in this repo.

Currently, not sure.

is there a way to verify the fix with some release candidate or snapshot including fix? In case the next release is not anytime soon

azure-active-directory-spring-boot-starter:2.3.5 already fixed the problem, please use it.


if you are using spring-boot-starter-parent:2.3.4, you use write like this:

<dependency>
  <groupId>com.microsoft.azure</groupId>
  <artifactId>azure-active-directory-spring-boot-starter</artifactId>
  <version>2.3.5</version>
</dependency>

not

<dependency>
  <groupId>com.microsoft.azure</groupId>
  <artifactId>azure-active-directory-spring-boot-starter</artifactId>
</dependency>

<version> can not be skipped.

@DRoppelt
Copy link

DRoppelt commented Nov 4, 2020

I cannot confirm that it is fixed with azure-active-directory-spring-boot-starter:2.3.5

2.3.5 of that module still uses:

<dependency>
      <groupId>com.nimbusds</groupId>
      <artifactId>nimbus-jose-jwt</artifactId>
      <version>7.9</version>
</dependency>

I have attached a sample to reproduce this error: spring boot 2.3.5 + AAD starter 2.3.5
demo.zip

Based on this: https://start.spring.io/#!type=maven-project&language=java&platformVersion=2.3.5.RELEASE&packaging=jar&jvmVersion=11&groupId=com.example&artifactId=demo&name=demo&description=Demo%20project%20for%20Spring%20Boot&packageName=com.example.demo&dependencies=web,actuator,azure-active-directory

Added following to produce this error:
application.properties:

azure.activedirectory.session-stateless=true
azure.activedirectory.client-id=xxxxxxx

Executing mvn test will lead to the error.

This is the change that fixes it: https://github.com/Azure/azure-sdk-for-java/pull/15671/files#diff-bcfb49d18189176138f006deabde7a4362c16181b6eea91a03aa06bc75ed1727R112

@chenrujun
Copy link

Hi, @DRoppelt , Thank you for your quick response.

Here is the screenshot about your demo's dependency:

nimbus-8 19

After add the following fragment in the pom:

      <groupId>com.nimbusds</groupId>
      <artifactId>nimbus-jose-jwt</artifactId>
      <version>7.9</version>

Then dependency will be like this:
image

Then mvn test will pass.

So please add the following fragment in you pom:

      <groupId>com.nimbusds</groupId>
      <artifactId>nimbus-jose-jwt</artifactId>
      <version>7.9</version>

@DRoppelt
Copy link

DRoppelt commented Nov 5, 2020

@chenrujun

yes that fixes it as a workaround, thank you.

is there a way to verify the fix with some release candidate or snapshot including fix? In case the next release is not anytime soon

azure-active-directory-spring-boot-starter:2.3.5 already fixed the problem, please use it.

That sounded like it was already fixed with 2.3.5 without a workaround, but I misunderstood.

@chenrujun
Copy link

@DRoppelt

yes that fixes it as a workaround, thank you.

You are welcome.

That sounded like it was already fixed with 2.3.5 without a workaround, but I misunderstood.

Sorry for making you confused.
If you are using spring-boot:2.3.3 with azure-active-directory-spring-boot-starter:2.3.5, then no problem.

But if you are using spring-boot:2.3.4( or 2.3.5), then you should use that workaround. Because spring-boot-dependencies managed nimbus-jose-jwt's version since 2.3.4.

Refs:

@talesleaves
Copy link

talesleaves commented Nov 13, 2020

I think the problem with AADAuthenticationFilterAutoConfiguration#getJWKSetCache () can be solved with the following snippet.
We have also confirmed that this fix works for the application.

 @Bean
 @ConditionalOnMissingBean(JWKSetCache.class)
 public JWKSetCache getJWKSetCache () {
     return new DefaultJWKSetCache (aadAuthProps.getJwkSetCacheLifespan(),
             aadAuthProps.getJwkSetCacheLifespan(), TimeUnit.MILLISECONDS);
 }

However, the second argument of DefaultJWKSetCache determines the refresh cycle of the token.
Having the same value of cache life and refresh timing may cause another problem.

For this reason, I think the aadAuthProps will need a new Long value to determine the cache refresh cycle.

@talesleaves
Copy link

The issue pointed out earlier has been reported in another issue microsoft/azure-spring-boot#802
This issue may resolved by adding one property named like as "jwkSetCacheRefleshSpan" to AADAuthenticationFilterAutoConfiguration.

@chenrujun
Copy link

chenrujun commented Nov 13, 2020

@talesleaves

I think the problem with AADAuthenticationFilterAutoConfiguration#getJWKSetCache () can be solved with the following snippet.

Already did that in latest master branch:

https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/spring/azure-spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAuthenticationFilterAutoConfiguration.java#L109

This issue may resolved by adding one property named like as "jwkSetCacheRefleshSpan" to AADAuthenticationFilterAutoConfiguration.

Thank you for your suggestion.
Issue created: #17567

@talesleaves
Copy link

talesleaves commented Nov 14, 2020

Also, for users:
If you want to use a newer version of spring-boot-starter before this update takes effect, add the following snippet to your any configuration:

@Autowired
private AADAuthenticationProperties aadAuthProps;
//other configs...

@Bean
public JWKSetCache getJWKSetCache () {
    long lifeSpan = aadAuthProps.getJwkSetCacheLifespan();
    return new DefaultJWKSetCache (lifeSpan, lifeSpan, TimeUnit.MILLISECONDS);
}

This is the same behavior as nimbus-jose-jwt <8.10.
However, it is desirable that the second argument be slightly smaller than the first argument, as it can cause other problems as pointed out earlier.

I hope you find it useful.

@chenrujun
Copy link

@talesleaves , Thank you very much for your suggestion for users. 👍

@talesleaves
Copy link

@chenrujun , It was my pleasure.

@DRoppelt
Copy link

@chenrujun

Since you have closed this issue, was there a release that fixed this without one of the two workarounds?

@chenrujun
Copy link

@DRoppelt , OK, I'll reopen this issue, and close it until next release.

@chenrujun chenrujun reopened this Nov 19, 2020
@chenrujun
Copy link

We released azure-spring-boot-starter-active-directory:3.0.0, so I'll close this issue.

@yangzii0920
Copy link

yangzii0920 commented Feb 16, 2021

using com.microsoft.azure:azure-active-directory-spring-boot-starter:2.3.2
upgrading spring boot version from 2.2.8.RELEASE to 2.3.1.RELEASE cause this to happen
updating to com.microsoft.azure:azure-active-directory-spring-boot-starter:2.3.5 did not help

adding blow dependency management helped resolve the issue

dependencyManagement {
    imports {
        mavenBom 'com.microsoft.azure:azure-spring-boot-bom:2.2.1'
    }
}

openapi-sdkautomation bot pushed a commit to AzureSDKAutomation/azure-sdk-for-java that referenced this issue Jul 15, 2021
Copy the stable version of 2021-08-01 (Azure#15180)

* Copy the stable version of 2021-08-01

* Fix spellcheck and readme.md

* Adding alibaba as known word
@github-actions github-actions bot locked and limited conversation to collaborators Apr 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
azure-spring All azure-spring related issues azure-spring-aad Spring active directory related issues. customer-reported Issues that are reported by GitHub users external to the Azure organization. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
None yet
Development

No branches or pull requests

7 participants