Skip to content

JwtDecoderFactory is missing and throws ClassNotFoundException with Bearer token and spring-boot:3.5.0 #17249

New issue
New issue
Open
Open
JwtDecoderFactory is missing and throws ClassNotFoundException with Bearer token and spring-boot:3.5.0#17249
Assignees
jgrandja
Labels
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: bugA general bug
Milestone
6.5.3
@vanrenter

Description

@vanrenter
vanrenter
opened on Jun 14, 2025 · edited by vanrenter

Describe the bug
When using OAuth2 opaque Bearer token, without jwt token, the code breaks after upgrade to spring-boot:3.5.0. The same code worked without problem with spring-boot:3.4.6. Here, exception is thrown

Caused by: java.lang.NoClassDefFoundError: org/springframework/security/oauth2/jwt/JwtDecoderFactory
    at org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.DPoPAuthenticationConfigurer.configure(DPoPAuthenticationConfigurer.java:79) ~[spring-security-config-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.configure(OAuth2ResourceServerConfigurer.java:288) ~[spring-security-config-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.web.configurers.oauth2.server.resource.OAuth2ResourceServerConfigurer.configure(OAuth2ResourceServerConfigurer.java:147) ~[spring-security-config-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.configure(AbstractConfiguredSecurityBuilder.java:398) ~[spring-security-config-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.AbstractConfiguredSecurityBuilder.doBuild(AbstractConfiguredSecurityBuilder.java:352) ~[spring-security-config-6.5.0.jar:6.5.0]
    at org.springframework.security.config.annotation.AbstractSecurityBuilder.build(AbstractSecurityBuilder.java:38) ~[spring-security-config-6.5.0.jar:6.5.0]
    at spike.config.BeansConfig.filterChain(BeansConfig.java:35) ~[classes/:na]
    at spike.config.BeansConfig$$SpringCGLIB$$0.CGLIB$filterChain$0(<generated>) ~[classes/:na]
    at spike.config.BeansConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>) ~[classes/:na]
    at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258) ~[spring-core-6.2.7.jar:6.2.7]
    at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:393) ~[spring-context-6.2.7.jar:6.2.7]
    at spike.config.BeansConfig$$SpringCGLIB$$0.filterChain(<generated>) ~[classes/:na]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) ~[na:na]
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
    at java.base/java.lang.reflect.Method.invoke(Method.java:568) ~[na:na]
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:171) ~[spring-beans-6.2.7.jar:6.2.7]
    ... 42 common frames omitted
Caused by: java.lang.ClassNotFoundException: org.springframework.security.oauth2.jwt.JwtDecoderFactory
    at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641) ~[na:na]
    at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188) ~[na:na]
    at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:525) ~[na:na]
    ... 59 common frames omitted

To Reproduce
See the example repository below and run mvn spring-boot:run

Expected behavior
The dependencies are handled correctly by default, and no exception is thrown

Sample
Here is a small repo reproducing the problem.
Check the following branches in the github repo:

  • main : throws the exception with spring-boot:3.5.0
  • spring-boot-3.4.6 : shows the same code working with spring-boot:3.4.6
  • workaround : shows that adding spring-security-oauth2-jose make the code work with spring-boot:3.5.0

Activity

vanrenter
added
status: waiting-for-triageAn issue we've not yet triaged
type: bugA general bug
on Jun 14, 2025
ngocnhan-tran1996

ngocnhan-tran1996 commented on Jun 15, 2025

@ngocnhan-tran1996
ngocnhan-tran1996
on Jun 15, 2025
Contributor

You can try these dependencies instead.

    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-oauth2-client</artifactId>
    </dependency>
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
    </dependency>
pheyken

pheyken commented on Jun 16, 2025

@pheyken
pheyken
on Jun 16, 2025

This will most likely be addressed with #16940. The workaround is as you noted adding the spring-security-oauth2-jose dependency for now

jgrandja

jgrandja commented on Jun 16, 2025

@jgrandja
jgrandja
on Jun 16, 2025
Contributor

Thanks for the report @vanrenter. I'll get a fix in for the next patch release 6.5.2.

jgrandja
self-assigned this
on Jun 16, 2025
jgrandja
added
in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
and removed
status: waiting-for-triageAn issue we've not yet triaged
on Jun 16, 2025
jgrandja
mentioned this in 2 issues on Jun 16, 2025
jgrandja
added this to the 6.5.2 milestone on Jun 16, 2025
rwinch
modified the milestones: 6.5.2, 6.5.3, 6.4.8 on Jul 21, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

in: oauth2An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)type: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

    Development

    No branches or pull requests

      Participants

      @rwinch@vanrenter@jgrandja@pheyken@ngocnhan-tran1996

      Issue actions
        JwtDecoderFactory is missing and throws ClassNotFoundException with Bearer token and spring-boot:3.5.0 · Issue #17249 · spring-projects/spring-security