Make library dependencies have an upper version limit.

[vcolin7]

The current POM has a lot of dependencies that use the a versioning format such as this [1.5,):

This can cause projects that use these libraries fail since the dependencies can get updated with breaking changes such as what happened on this issue in the Azure SDK for Java.

[joshfree]

Relevant info quoted from @mercer on Azure/azure-sdk-for-java#14898

1. the issue for us started appearing on september 6
2. same date nimbus-jose-jwt v9.0 is released
3. it's either nimbus-jose-jwt, or azure keyvault's api changed on the same date, september 6
4. for us, the part of system that failed in the pipeline, is legacy code, no changes to code, or pipeline, or dependencies (declared), or the keyvault it goes to fetch configuration in more than 6 months
5. pipeline runs on code changes from other parts of system (dotnet), and rebuilds all artifacts
6. the dependency of your dependency of your dependency (adal4j) is happy to get any future version [6.0.1,)
7. this is dangerous for them (nimbusds), for them (adal4j), for you (keyvault client), and for all of us using this
8. its a 💣 waiting to go boom
9. it has to be a broken api with nimbus-jose-jwt, they even changed the major version!, while there is not even a patch version change for azure-keyvault-secrets-spring-boot-starter

Please pin down all your dependency versions, even if I'm wrong about the root cause, as safety for future transient dependency changes.

(for example all spring starters guarantee that all the jars you get work well together, they do extensive tests to prove this, so that we don't have to)

Good luck 👍

[bganapa]

The issue is being hit thru azurestack combatible azure SDK as well
java.lang.NoSuchMethodError: 'net.minidev.json.JSONObject com.nimbusds.jwt.JWTClaimsSet.toJSONObject()'
..
at com.microsoft.aad.adal4j.AuthenticationContext.createClientAuthFromClientAssertion(AuthenticationContext.java:941)
at com.microsoft.aad.adal4j.AuthenticationContext.acquireToken(AuthenticationContext.java:241)
at com.microsoft.aad.adal4j.AuthenticationContext.acquireToken(AuthenticationContext.java:376)
...
at com.microsoft.azure.management.profile_2019_03_01_hybrid.Azure$AuthenticatedImpl.withDefaultSubscription(Azure.java:293)
at com.microsoft.azure.management.utility.Authenticate.authenticate(Authenticate.java:141)

[SomkaPe]

@vcolin7 @joshfree pom.xml on screenshot is not pom.xml of this project.
pom.xml in this project uses specific versions of dependencies

[vcolin7]

@SomkaPe I misworded what I meant to say: ADAL4J 1.6.4 has a dependency (com.nimbusds:oauth2-oidc-sdk:6.5) that has a few dependencies of its own in the format of what is shown in the picture: [1.5,). This causes problems when these transient dependencies introduce breaking changes such as the ones describe in this issue.

[SomkaPe]

@vcolin7 Thanks for clarification, I am going to update "com.nimbusds:oauth2-oidc-sdk" dependency to 7.4, that version does not use open-ended version ranges

[vcolin7]

@SomkaPe As an additional note, the folks from Nimbus mentioned that all dependencies are fixed or closed ranges in 8.x

[SomkaPe]

@vcolin7 1.6.6 version was released with updated "com.nimbusds:oauth2-oidc-sdk" dependency to 7.4.
This version is tested and used in msal4j.