Spring Security DPoP authentication throws JwtDecoderFactory ClassNotFoundException

Describe the bug When using OAuth2 opaque Bearer token, without jwt token, the code breaks after upgrade to spring-boot:3.5.0. The same code worked without problem with spring-boot:3.4.6. Here, exception is thrown

Caused by: java.lang.NoClassDefFoundError: org/springframework/security/oauth2/jwt/JwtDecoderFactory
    at org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.DPoPAuthenticationConfigurer.configure(DPoPAuthenticationConfigurer.java:79) ~[spring-security-config-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.configure(OAuth2ResourceServerConfigurer.java:288) ~[spring-security-config-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.configure(OAuth2ResourceServerConfigurer.java:147) ~[spring-security-config-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.configure(AbstractConfiguredSecurityBuilder.java:398) ~[spring-security-config-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:352) ~[spring-security-config-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:38) ~[spring-security-config-6.5.0.jar:6.5.0]
    at spike.config.BeansConfig.filterChain(BeansConfig.java:35) ~[classes/:na]
    at spike.config.BeansConfig$$SpringCGLIB$$0.CGLIB$filterChain$0(<generated>) ~[classes/:na]
    at spike.config.BeansConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>) ~[classes/:na]
    at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258) ~[spring-core-6.2.7.jar:6.2.7]
    at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:393) ~[spring-context-6.2.7.jar:6.2.7]
    at spike.config.BeansConfig$$SpringCGLIB$$0.filterChain(<generated>) ~[classes/:na]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[na:na]
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
    at java.base/java.lang.reflect.Method.invoke(Method.java:568) ~[na:na]
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:171) ~[spring-beans-6.2.7.jar:6.2.7]
    ... 42 common frames omitted
Caused by: java.lang.ClassNotFoundException: org.springframework.security.oauth2.jwt.JwtDecoderFactory
    at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641) ~[na:na]
    at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188) ~[na:na]
    at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:525) ~[na:na]
    ... 59 common frames omitted

To Reproduce See the example repository below and run mvn spring-boot:run

Expected behavior The dependencies are handled correctly by default, and no exception is thrown

Sample Here is a small repo reproducing the problem. Check the following branches in the github repo: * main : throws the exception with spring-boot:3.5.0 * spring-boot-3.4.6 : shows the same code working with spring-boot:3.4.6 * workaround : shows that adding spring-security-oauth2-jose make the code work with spring-boot:3.5.0

Comment From: ngocnhan-tran1996

You can try these dependencies instead.

    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-oauth2-client</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
    </dependency>

Comment From: pheyken

This will most likely be addressed with #16940. The workaround is as you noted adding the spring-security-oauth2-jose dependency for now

Comment From: jgrandja

Thanks for the report @vanrenter. I'll get a fix in for the next patch release 6.5.2.