Unable to Create IdTokenVerifier or AccessTokenVerifier after Upgrading To 0.5.8

[nova-airship]

I'm submitting a

• bug report

Background info

When upgrading from 0.5.7 to 0.5.8, I am no longer able to create an IdTokenVerifier or AccessTokenVerifier. This seems to be caused by a change in the jjwt dependency that is used. In 0.5.7, the jjwt version is 0.11.5 and in 0.5.8 it is 0.12.3. In looking into that dependency, I found they mentioned including breaking changes in 0.12.#+ which I believe has not fully been accounted for.

Tested with JDK 17 and 21.

Maven:

<dependency>
    <groupId>com.okta.jwt</groupId>
    <artifactId>okta-jwt-verifier</artifactId>
    <version>0.5.8</version>
</dependency>
<dependency>
    <groupId>com.okta.jwt</groupId>
    <artifactId>okta-jwt-verifier-impl</artifactId>
    <version>0.5.8</version>
    <scope>runtime</scope>
</dependency>

Expected behavior

Being able to successfully create an IdTokenVerifier and AccessTokenVerifier after upgrading to 0.5.8.

What went wrong?

Creating an IdTokenVerifier:

NoSuchMethodError: 'io.jsonwebtoken.JwtParserBuilder io.jsonwebtoken.Jwts.parser()'.
Stack Trace:
com.okta.jwt.impl.jjwt.TokenVerifierSupport.buildJwtParser:66
com.okta.jwt.impl.jjwt.TokenVerifierSupport.<init>:50
com.okta.jwt.impl.jjwt.JjwtIdTokenVerifier.<init>:41
com.okta.jwt.impl.jjwt.JjwtIdTokenVerifierBuilder.build:48
com.okta.jwt.impl.jjwt.JjwtIdTokenVerifierBuilder.build:25
my code...

Creating an AccessTokenVerifier:

NoSuchMethodError: 'io.jsonwebtoken.JwtParserBuilder io.jsonwebtoken.Jwts.parser()'.
Stack Trace:
com.okta.jwt.impl.jjwt.TokenVerifierSupport.buildJwtParser:66
com.okta.jwt.impl.jjwt.TokenVerifierSupport.<init>:61
com.okta.jwt.impl.jjwt.JjwtAccessTokenVerifier.<init>:50
com.okta.jwt.impl.jjwt.JjwtAccessTokenVerifierBuilder.build:58
com.okta.jwt.impl.jjwt.JjwtAccessTokenVerifierBuilder.build:27
my code...

Steps to reproduce

Creating an IdTokenVerifier:
JwtVerifiers.idTokenVerifierBuilder().setIssuer("https://my-issuer.com/oauth2/default").setClientId("my-client-id").build();

Creating an AccessTokenVerifier:
JwtVerifiers.accessTokenVerifierBuilder().setIssuer("https://my-issuer.com/oauth2/default").setAudience("my-audience").build();

Library Version

0.5.8

[arvindkrishnakumar-okta]

Thanks for reporting this!

I will take a look.

[nova-airship]

I believe the issue might actually be on our end. I didn't realize it at the time but we had another dependency (Twilio) from another module also using the jjwt dependencies. Even on their latest version, they seem to still be using 0.11.2. Due to the breaking changes introduced in 0.12.#+ , I am not sure I can simply override that dependency to use the updated one.

It is interesting that the jjwt repository says this in their change log for 0.12.0:
Because breaking changes are being introduced, it is strongly recommended to wait until the upcoming 1.0 release where you can address breaking changes one time only.

Now, I understand changes had to be made to update to the current version being used (0.12.3) and I don't think I can ask for this version to be rolled back. As a result, I won't be able to update to the latest version of this library until others decide to update to 0.12.#+. I am not sure if they have decided to wait until v1.0 is released before updating it any further based on that comment, which could be awhile in that case.

In the meantime, I have at least requested that they update the version of that dependency which can be seen here:
twilio/twilio-java#788

[arvindkrishnakumar-okta]

Thanks for the info!

I'll close this issue, but feel free to reopen if you need further assistance/followup.