sjohnr
commented
3 months ago @willweyant thanks for reaching out! I apologize for the delay in response.
We have a JWT token with two Map<Long,String> properties.
A Map with a Long key should still work in a JWT token.
Numbers in JSON (RFC 8259) are defined as integers (which would map to java.lang.Integer) and object keys are strings. I don't believe it's possible for such a Map to be represented in JSON.
We were able to trace the issue to the nimbus-jose-jwt dependency version 9.24.4 provided via spring-security-oauth2-jose (version 5.8.1). nimbus-jose-jwt version 9.22 works fine.
The nimbus-jose-jwt project is a separate project from Spring Security. You would be best suited to reach out on the issue tracker for the nimbus-jose-jwt project.
I'm going to close this issue since it's for an external project. If you still believe this is a bug in Spring Security, please provide a minimal, reproducible sample and I'll be happy to take a look.
Describe the bug While following upgrade of spring security in preparation for move to Spring Boot 3 (Spring 6) from Spring Boot 2.7.8, we encountered an issue in a SpringBootTest for a RestController. We have a JWT token with two Map<Long,String> properties. It seems that a Map key of any other number type works except for Long with the upgrade. We were able to trace the issue to the nimbus-jose-jwt dependency version 9.24.4 provided via spring-security-oauth2-jose (version 5.8.1). nimbus-jose-jwt version 9.22 works fine.
To Reproduce Upgrade a spring boot 2.7.8 application with spring-security to 3 following directions here: [https://docs.spring.io/spring-security/reference/5.8/migration/index.html]. Write a spring boot test to call a GET resource with a Authorization header with Bearer token containing a Map<Long, String> property. The test fails with an exception similar to this:
Expected behavior A Map with a Long key should still work in a JWT token.
Sample Not able to provide code from application.