Incompatibility with Spring Security 5.6

[andrea-pellegatta]

Describe the bug
I've recently updated spring boot (spring-boot-starter-parent) version from 2.5.6 to 2.6.1.
Spring Boot starter parent contains a dependency to spring-security-oauth2-jose 5.6.0.
When I request the access token, using the authorization code flow, I now get the following error

failed to access class org.springframework.security.oauth2.jwt.JoseHeader from class org.springframework.security.oauth2.server.authorization.authentication.JwtUtils (org.springframework.security.oauth2.jwt.JoseHeader and org.springframework.security.oauth2.server.authorization.authentication.JwtUtils are in unnamed module of loader 'app')

Stacktrace
java.lang.IllegalAccessError: failed to access class org.springframework.security.oauth2.jwt.JoseHeader from class org.springframework.security.oauth2.server.authorization.authentication.JwtUtils (org.springframework.security.oauth2.jwt.JoseHeader and org.springframework.security.oauth2.server.authorization.authentication.JwtUtils are in unnamed module of loader 'app') at org.springframework.security.oauth2.server.authorization.authentication.JwtUtils.headers(JwtUtils.java:46) ~[spring-security-oauth2-authorization-server-0.2.1.jar:0.2.1] at org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeAuthenticationProvider.authenticate(OAuth2AuthorizationCodeAuthenticationProvider.java:174) ~[spring-security-oauth2-authorization-server-0.2.1.jar:0.2.1] at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-5.6.0.jar:5.6.0] at org.springframework.security.oauth2.server.authorization.web.OAuth2TokenEndpointFilter.doFilterInternal(OAuth2TokenEndpointFilter.java:165) ~[spring-security-oauth2-authorization-server-0.2.1.jar:0.2.1] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119) ~[spring-web-5.3.13.jar:5.3.13] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.0.jar:5.6.0] at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:115) ~[spring-security-web-5.6.0.jar:5.6.0] at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:81) ~[spring-security-web-5.6.0.jar:5.6.0] at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:336) ~[spring-security-web-5.6.0.jar:5.6.0]

Code triggering the error
JwtUtils - headers()

static Builder headers() { return JoseHeader.withAlgorithm(SignatureAlgorithm.RS256); }

The flow was correctly working when I had Spring Boot parent 2.5.6

To Reproduce
spring-authorization-server 0.2.0 (or 0.2.1)
spring-boot-starter-parent 2.6.1
authorization code, request an access token

Expected behavior
the access token is correctly returned

[denis111]

Spring Security 5.6 has the same class JoseHeader in the same package but it's not public(but I think it should be public).

[jgrandja]

@andrea-pellegatta Spring Authorization Server is not compatible with Spring Security 5.6. With the recent 5.6 release, JwtEncoder was introduced in spring-security#9208, which resulted in this incompatibility since JwtEncoder also exists in this project.

FYI, our plan is to @Deprecate JwtEncoder (and associated classes) in this project and use the ones provided in Spring Security. This refactoring will happen in gh-594 and will resolve the incompatibility.

[denis111]

@jgrandja Could you ask then Spring Security team to make JoseHeader public, please? Because we use it in custom granters...

[jgrandja]

@denis111 JwsHeader is public. Does that work? If not, can you please provide more detail on why you need JoseHeader to be public? At the moment, there is no need to expose JoseHeader within the framework.

[denis111]

@jgrandja I need JoseHeader to generate JWT token in custom granter. Maybe if you make JwtUtils public we can make it without JoseHeader? Because for now I have to do this with 'copy-pasted' JwtUtils:

JoseHeader.Builder headersBuilder = JwtUtils.headers();
...
context = JwtEncodingContext.with(headersBuilder, claimsBuilder)

[jgrandja]

@denis111

I need JoseHeader to generate JWT token in custom granter

This is not enough detail. Please log more detail in gh-414 as this conversation if off topic from the main issue.

[endink]

How to fix this problem in this version? Can we hear some good news?

[bjornharvold]

Yes, is there any way to fix the current version or do we have to downgrade to Spring Boot 2.5.8?

[endink]

@bjornharvold

It seems that there is no way, we have downgraded to spring security 5.5.4, but still springboot 2.6.2, it seems worked!

configurations.all{
        resolutionStrategy.eachDependency {
            val request = requested
            if (request.group == "org.springframework.security" && request.module.name != "spring-security-oauth2-authorization-server") {
                this.useVersion("5.5.4")
            }
        }
    }

The only thing to be careful about is that this class is not compatible with spring boot 2.6：

@Configuration(proxyBeanMethods = false)
	@ConditionalOnMissingBean(JwtDecoder.class)
	static class JwtDecoderConfiguration

so you have to define JwtDecoder bean by yourself !