Closed SLepUbIn closed 4 years ago
Thanks, @SLepUbIn for checking on this. It is expected behavior.
Because opaque token is an optional feature, the dependency is also marked as optional. You'll note that oauth2-jose
is also optional since JWT is an optional feature.
Feel free to comment, if you feel I've misunderstood what you are asking for.
Ok, I think I have been mislead because spring-boot-starter-oauth2-resource-server pulls oauth2-jose but not nimbus oauth2-oidc-sdk. Thanks for the explanation.
@jzheaux IMHO oauth2-oidc-sdk
should still be a managed dependency even if it is optional. This might be a spring-boot-issue though.
Agreed, @leonard84, that Spring Boot would need to determine something like that.
Summary
nimbus HTTPResponse ClassNotFound using
with spring boot 2.2.4 RELEASE, spring security 5.2.1
Actual Behavior
my configuration :
when reaching the introspect method of the NimbusOpaqueTokenIntrospector class, the following line throws an exception :
HTTPResponse httpResponse = adaptToNimbusResponse(responseEntity);
because com.nimbusds:oauth2-oidc-sdk is not in dependencies.
manually adding the nimbus oauth2 dependency in my pom solves the problem
I am not used to gradle but the dependency is set to optional in gradle in this repo :
https://github.com/spring-projects/spring-security/blob/master/oauth2/oauth2-resource-server/spring-security-oauth2-resource-server.gradle#L10
Expected Behavior
No exception
Full stacktrace :