search

Azure / azure-sdk-for-java

This repository is for active development of the Azure SDK for Java. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/java/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-java.
MIT License
2.36k stars 2k forks source link

[FEATURE REQ] Dependency management for com.microsoft.azure:msal4j #42942

Open arikogan opened 1 week ago

arikogan commented 1 week ago

Is your feature request related to a problem? Please describe. When working with azure-sdk's BOM, there are different versions of com.microsoft.azure:msal4j being imported.

azure-sdk-bom depends on azure-identity azure-identity depends on com.microsoft.azure:msal4j:1.17.2 azure-identity also depends on com.microsoft.azure:msal4j-persistence-extension msal4j-persistence-extension depends on com.microsoft.azure:msal4j:1.15.1

Meaning that when importing azure-sdk-bom we get two different versions for msal4j: 1.17.2 and 1.15.1

Describe the solution you'd like I'd like to have azure-sdk-bom import the version of msal4j I need

Describe alternatives you've considered A suggestion to avoid this is to add msal4j to the dependency management of azure-identity, not only as a dependency as it is today. This way, further dependencies will take this version to work with.

Additional context Add any other context or screenshots about the feature request here.

Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

github-actions[bot] commented 1 week ago

@billwert @g2vinay

github-actions[bot] commented 1 week ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

billwert commented 1 week ago

Thanks for calling this to our attention @arikogan, we'll take a look!

billwert commented 5 days ago

Hey @arikogan quick question:

I'm trying to reproduce this with the following dependencies in my POM:

Details

```xml com.azure azure-sdk-bom 1.2.29 pom import com.azure azure-core com.azure azure-identity org.slf4j slf4j-simple 2.0.16 org.owasp dependency-check-maven 9.2.0 ```

And when I run mvn dependency:tree I only see msal4j once, with the correct newer version:

[INFO] +- com.azure:azure-identity:jar:1.14.0:compile
<snip a bunch of non-related deps>
[INFO] |  +- com.microsoft.azure:msal4j:jar:1.17.2:compile
[INFO] |  |  +- com.nimbusds:oauth2-oidc-sdk:jar:11.18:compile
[INFO] |  |  |  +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
[INFO] |  |  |  +- com.nimbusds:content-type:jar:2.3:compile
[INFO] |  |  |  +- com.nimbusds:lang-tag:jar:1.7:compile
[INFO] |  |  |  \- com.nimbusds:nimbus-jose-jwt:jar:9.40:compile
[INFO] |  |  \- net.minidev:json-smart:jar:2.5.0:compile
[INFO] |  |     \- net.minidev:accessors-smart:jar:2.5.0:compile
[INFO] |  |        \- org.ow2.asm:asm:jar:9.3:compile
[INFO] |  +- com.microsoft.azure:msal4j-persistence-extension:jar:1.3.0:compile
[INFO] |  |  \- net.java.dev.jna:jna:jar:5.13.0:compile

Can you share your pom and how you are seeing both dependencies referenced please? We want to make sure we're seeing the same thing before we apply a fix.

github-actions[bot] commented 5 days ago

Hi @arikogan. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

arikogan commented 4 days ago

Hi @billwert. Thanks for looking into this. We are using the Maven Enforcer Plugin. It's the Dependency Convergence rule the one that flags that different builds may converge to different versions. In practice, we are not getting the older version that msal4j-persistence-extension depends on. However, in order to avoid Maven picking up another version candidate, we need to lock the version of msal4j and that is less maintainable. I think this can be overcome by setting the version of msal4j in the dependency management of one of the parent poms. I see several other modules defining themselves again the version of msal4j (e.g. eventhubs). Sending below a pom.xml with the enforcer and the output of the enforcer plugin (running clean install).

pom.xml

<project>
    <modelVersion>4.0.0</modelVersion>
    <groupId>com.mycompany.app</groupId>
    <artifactId>my-app</artifactId>
    <version>1</version>

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>com.azure</groupId>
                <artifactId>azure-sdk-bom</artifactId>
                <version>1.2.29</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>
    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-enforcer-plugin</artifactId>
                <executions>
                    <execution>
                        <goals>
                            <goal>enforce</goal>
                        </goals>
                        <configuration>
                            <rules>
                                <dependencyConvergence>
                                    <excludes>
                                        <exclude>io.netty:netty-transport-native-epoll</exclude>
                                        <exclude>io.netty:netty-transport-native-unix-common</exclude>
                                        <exclude>org.slf4j:slf4j-api</exclude>
                                        <exclude>io.netty:netty-codec-http2</exclude>
                                        <exclude>io.netty:netty-transport</exclude>
                                        <exclude>io.netty:netty-common</exclude>
                                        <exclude>io.netty:netty-resolver</exclude>
                                        <exclude>net.java.dev.jna:jna-platform</exclude>
                                        <exclude>io.netty:netty-handler-proxy</exclude>
                                        <exclude>io.netty:netty-codec-http</exclude>
                                        <exclude>com.fasterxml.jackson.core:jackson-databind</exclude>
                                        <exclude>io.netty:netty-codec</exclude>
                                        <exclude>io.netty:netty-handler</exclude>
                                        <exclude>io.netty:netty-buffer</exclude>
                                        <exclude>net.minidev:json-smart</exclude>
                                    </excludes>
                                </dependencyConvergence>
                                <requireJavaVersion>
                                    <version>[17,)</version>
                                </requireJavaVersion>
                                <requireMavenVersion>
                                    <version>3.3.1</version>
                                </requireMavenVersion>
                            </rules>
                            <fail>true</fail>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
    <dependencies>
        <dependency>
            <groupId>com.azure</groupId>
            <artifactId>azure-identity</artifactId>
        </dependency>
    </dependencies>
</project>

Enforcer Plugin

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-enforcer-plugin:3.5.0:enforce (default) on project my-app:
[ERROR] Rule 0: org.apache.maven.enforcer.rules.dependency.DependencyConvergence failed with message:
[ERROR] Failed while enforcing releasability.
[ERROR]
[ERROR] Dependency convergence error for com.microsoft.azure:msal4j:jar:1.17.2 paths to dependency are:
[ERROR] +-com.mycompany.app:my-app:jar:1
[ERROR]   +-com.azure:azure-identity:jar:1.14.0:compile
[ERROR]     +-com.microsoft.azure:msal4j:jar:1.17.2:compile
[ERROR] and
[ERROR] +-com.mycompany.app:my-app:jar:1
[ERROR]   +-com.azure:azure-identity:jar:1.14.0:compile
[ERROR]     +-com.microsoft.azure:msal4j-persistence-extension:jar:1.3.0:compile
[ERROR]       +-com.microsoft.azure:msal4j:jar:1.15.0:compile
billwert commented 4 days ago

Ah, excellent, this is exactly what I needed. Thanks.

billwert commented 4 days ago

The fix for this is going to be in the msal4j layer instead of here.

https://github.com/AzureAD/microsoft-authentication-library-for-java/issues/880

Thanks for the report!

github-actions[bot] commented 4 days ago

Hi @arikogan. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.

arikogan commented 1 day ago

@billwert, if the approach is to get the dependencies bump msal4j, what do you think about running the Maven Enforcer plugin on the Azure SDK to ensure this?