Update OAuth2 OIDC SDK (#108799)

This commit updates the Nimbus OAuth2 OIDC SDK and the associated Nimbus JOSE+JWT, however a few odd choices had to be made in the process.

First, we update to versions which are old at time of merge. This is because versions of Nimbus JOSE+JWT 9.38 and after through time of writing [contain a bug](https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/550/java-module-doesnt-work-properly-with) in which the shaded gson class files included in the library are not properly loaded by our module loading code (and possibly in general? the root cause of the bug is unclear at time of writing but it does not appear to be present in all uses of this library). This requires us to use an older version of Nimbus OAuth2 OIDC SDK as well.

Second, the aforementioned shaded gson uses reflection internally, and is used in unpredictable places in these libraries (e.g. constructors). This is extremely unfriendly to our usage of the security manager. In order to make the scope of permission grants as narrow as possible, we shadow nimbus-jose-jwt in order to insert `AccessController.doPrivileged` calls at the appropriate points, given the usage of gson is relatively contained.

This approach was chosen over other approaches given 1) the relative simplicity given the implementation of the library, and 2) the complexity involved in safely using the library any other way - as one example, gson is used frequently in `toString()` methods, which are frequently called implicitly, especially in combination with logging which may mask security manager exceptions from being surfaced in tests. All of the code we intercept should be re-evaluated when this library is next upgraded.

Co-authored-by: Jake Landis <[email protected]>

Author: gwbrown

gradle/verification-metadata.xml

@@ -946,9 +946,11 @@
             <sha256 value="fbfd0d5f2b2f86758b821daa5e79b5d7c965edd9dc1b2cc80b515df1c6ddc22d" origin="Generated by Gradle"/>
          </artifact>
       </component>
-      <component group="com.nimbusds" name="nimbus-jose-jwt" version="9.23">
-         <artifact name="nimbus-jose-jwt-9.23.jar">
-            <sha256 value="33ab8084fdae1d75be1b061b1489d4a12045bd7b50c2e24ff152911e4551ec07" origin="Generated by Gradle"/>
+      <component group="com.nimbusds" name="nimbus-jose-jwt" version="9.37.3">
+         <artifact name="nimbus-jose-jwt-9.37.3.jar">
+            <sha256 value="12ae4a3a260095d7aeba2adea7ae396e8b9570db8b7b409e09a824c219cc0444" origin="Generated by Gradle">
+               <also-trust value="afc63b689d881439b95f343b1dca750391edac63b87392be4d90d19c94ccafbe"/>
+            </sha256>
          </artifact>
       </component>
       <component group="com.nimbusds" name="nimbus-jose-jwt" version="9.37.3">
@@ -961,6 +963,11 @@
             <sha256 value="7664cf8c6f2adadf600287812b32878277beda54912eab9d4c2932cd50cb704a" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.nimbusds" name="oauth2-oidc-sdk" version="11.10.1">
+         <artifact name="oauth2-oidc-sdk-11.10.1.jar">
+            <sha256 value="9e51b2c17503cdd3eb97f41491c712aff7783bb3c67185d789f44ccf2a603b26" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.nimbusds" name="oauth2-oidc-sdk" version="11.9.1">
          <artifact name="oauth2-oidc-sdk-11.9.1.jar">
             <sha256 value="0820c9690966304d075347b88e81ae490213440fc4d2c84f3d370d41941b2b9c" origin="Generated by Gradle"/>
@@ -1739,6 +1746,11 @@
             <sha256 value="64072f56d9dff5040b2acec477c5d5e6bcebfc88c508f12acb26072d07942146" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="net.minidev" name="json-smart" version="2.5.1">
+         <artifact name="json-smart-2.5.1.jar">
+            <sha256 value="86c0c189581b79b57b0719f443a724e9f628ffbb9eef645cf79194f5973a1001" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="net.minidev" name="json-smart" version="2.5.0">
          <artifact name="json-smart-2.5.0.jar">
             <sha256 value="432b9e545848c4141b80717b26e367f83bf33f19250a228ce75da6e967da2bc7" origin="Generated by Gradle"/>

x-pack/plugin/security/build.gradle

@@ -79,12 +79,19 @@ dependencies {
   runtimeOnly "joda-time:joda-time:2.10.10"
 
   // Dependencies for oidc
-  api "com.nimbusds:oauth2-oidc-sdk:9.37"
-  api "com.nimbusds:nimbus-jose-jwt:9.23"
+  api "com.nimbusds:oauth2-oidc-sdk:11.10.1"
+  api project(path: xpackModule('security:lib:nimbus-jose-jwt-modified'), configuration: 'shadow')
+  if (isEclipse) {
+    /*
+     * Eclipse can't pick up the shadow dependency so we point it at the unmodified version of the library
+     * so it can compile things.
+     */
+    api "com.nimbusds:nimbus-jose-jwt:9.37.3"
+  }
   api "com.nimbusds:lang-tag:1.4.4"
   api "com.sun.mail:jakarta.mail:1.6.3"
   api "net.jcip:jcip-annotations:1.0"
-  api "net.minidev:json-smart:2.4.10"
+  api "net.minidev:json-smart:2.5.1"
   api "net.minidev:accessors-smart:2.4.2"
   api "org.ow2.asm:asm:8.0.1"
 
@@ -103,7 +110,6 @@ dependencies {
   testImplementation('org.apache.kerby:kerb-crypto:1.1.1')
   testImplementation('org.apache.kerby:kerb-util:1.1.1')
   testImplementation('org.apache.kerby:token-provider:1.1.1')
-  testImplementation('com.nimbusds:nimbus-jose-jwt:9.23')
   testImplementation('net.jcip:jcip-annotations:1.0')
   testImplementation('org.apache.kerby:kerb-admin:1.1.1')
   testImplementation('org.apache.kerby:kerb-server:1.1.1')
@@ -225,6 +231,9 @@ tasks.named("thirdPartyAudit").configure {
     'javax.servlet.http.HttpSession',
     'javax.servlet.http.HttpUpgradeHandler',
     'javax.servlet.http.Part',
+    'jakarta.servlet.ServletRequest',
+    'jakarta.servlet.http.HttpServletRequest',
+    'jakarta.servlet.http.HttpServletResponse',
     // [missing classes] Shibboleth + OpenSAML have velocity support that we don't use
     'org.apache.velocity.VelocityContext',
     'org.apache.velocity.app.VelocityEngine',
@@ -274,112 +283,103 @@ tasks.named("thirdPartyAudit").configure {
     // [missing classes] Http Client cache has optional ehcache support
     'net.sf.ehcache.Ehcache',
     'net.sf.ehcache.Element',
-        // Bouncycastle is an optional dependency for apache directory, cryptacular and opensaml packages. We
-        // acknowledge them here instead of adding bouncy castle as a compileOnly dependency
-        'org.bouncycastle.asn1.ASN1Encodable',
-        'org.bouncycastle.asn1.ASN1InputStream',
-        'org.bouncycastle.asn1.ASN1Integer',
-        'org.bouncycastle.asn1.ASN1ObjectIdentifier',
-        'org.bouncycastle.asn1.ASN1OctetString',
-        'org.bouncycastle.asn1.ASN1Primitive',
-        'org.bouncycastle.asn1.ASN1Sequence',
-        'org.bouncycastle.asn1.ASN1TaggedObject',
-        // 'org.bouncycastle.asn1.DEROctetString',
-        'org.bouncycastle.asn1.pkcs.EncryptedPrivateKeyInfo',
-        'org.bouncycastle.asn1.pkcs.EncryptionScheme',
-        'org.bouncycastle.asn1.pkcs.KeyDerivationFunc',
-        'org.bouncycastle.asn1.pkcs.PBEParameter',
-        'org.bouncycastle.asn1.pkcs.PBES2Parameters',
-        'org.bouncycastle.asn1.pkcs.PBKDF2Params',
-        'org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers',
-        'org.bouncycastle.asn1.pkcs.PrivateKeyInfo',
-        'org.bouncycastle.asn1.x500.AttributeTypeAndValue',
-        'org.bouncycastle.asn1.x500.RDN',
-        'org.bouncycastle.asn1.x500.X500Name',
-        'org.bouncycastle.asn1.x509.AccessDescription',
-        'org.bouncycastle.asn1.x509.AlgorithmIdentifier',
-        'org.bouncycastle.asn1.x509.AuthorityKeyIdentifier',
-        'org.bouncycastle.asn1.x509.BasicConstraints',
-        'org.bouncycastle.asn1.x509.DistributionPoint',
-        'org.bouncycastle.asn1.x509.Extension',
-        'org.bouncycastle.asn1.x509.GeneralName',
-        'org.bouncycastle.asn1.x509.GeneralNames',
-        'org.bouncycastle.asn1.x509.GeneralNamesBuilder',
-        'org.bouncycastle.asn1.x509.KeyPurposeId',
-        'org.bouncycastle.asn1.x509.KeyUsage',
-        'org.bouncycastle.asn1.x509.PolicyInformation',
-        'org.bouncycastle.asn1.x509.SubjectKeyIdentifier',
-        'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo',
-        // 'org.bouncycastle.asn1.x9.DomainParameters',
-        // 'org.bouncycastle.asn1.x9.ECNamedCurveTable',
-        'org.bouncycastle.asn1.x9.X9ECParameters',
-        'org.bouncycastle.cert.X509v3CertificateBuilder',
-        'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter',
-        'org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils',
-        'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
-        'org.bouncycastle.crypto.BlockCipher',
-        'org.bouncycastle.crypto.BufferedBlockCipher',
-        'org.bouncycastle.crypto.CipherParameters',
-        'org.bouncycastle.crypto.Digest',
-        'org.bouncycastle.crypto.PBEParametersGenerator',
-        'org.bouncycastle.crypto.StreamCipher',
-        'org.bouncycastle.crypto.agreement.kdf.ConcatenationKDFGenerator',
-        // 'org.bouncycastle.crypto.ec.CustomNamedCurves',
-        'org.bouncycastle.crypto.engines.AESEngine',
-        'org.bouncycastle.crypto.generators.BCrypt',
-        'org.bouncycastle.crypto.generators.OpenSSLPBEParametersGenerator',
-        'org.bouncycastle.crypto.generators.PKCS5S1ParametersGenerator',
-        'org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator',
-        'org.bouncycastle.crypto.macs.HMac',
-        'org.bouncycastle.crypto.modes.AEADBlockCipher',
-        'org.bouncycastle.crypto.modes.GCMBlockCipher',
-        'org.bouncycastle.crypto.paddings.BlockCipherPadding',
-        'org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher',
-        'org.bouncycastle.crypto.params.AsymmetricKeyParameter',
-        'org.bouncycastle.crypto.params.DSAKeyParameters',
-        'org.bouncycastle.crypto.params.DSAParameters',
-        'org.bouncycastle.crypto.params.DSAPrivateKeyParameters',
-        'org.bouncycastle.crypto.params.DSAPublicKeyParameters',
-        'org.bouncycastle.crypto.params.ECDomainParameters',
-        'org.bouncycastle.crypto.params.ECKeyParameters',
-        'org.bouncycastle.crypto.params.ECPrivateKeyParameters',
-        'org.bouncycastle.crypto.params.ECPublicKeyParameters',
-        // 'org.bouncycastle.crypto.params.KDFParameters',
-        'org.bouncycastle.crypto.params.KeyParameter',
-        'org.bouncycastle.crypto.params.RSAKeyParameters',
-        'org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters',
-        'org.bouncycastle.crypto.prng.EntropySource',
-        'org.bouncycastle.crypto.prng.SP800SecureRandom',
-        'org.bouncycastle.crypto.prng.SP800SecureRandomBuilder',
-        'org.bouncycastle.crypto.prng.drbg.SP80090DRBG',
-        'org.bouncycastle.crypto.signers.DSASigner',
-        'org.bouncycastle.crypto.signers.ECDSASigner',
-        'org.bouncycastle.crypto.signers.RSADigestSigner',
-        'org.bouncycastle.crypto.util.PrivateKeyFactory',
-        'org.bouncycastle.crypto.util.PrivateKeyInfoFactory',
-        'org.bouncycastle.crypto.util.PublicKeyFactory',
-        'org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory',
-        'org.bouncycastle.jcajce.provider.asymmetric.dsa.KeyPairGeneratorSpi',
-        'org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC',
-        'org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyPairGeneratorSpi',
-        'org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util',
-        'org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil',
-        // 'org.bouncycastle.jce.ECNamedCurveTable',
-        // 'org.bouncycastle.jce.spec.ECNamedCurveParameterSpec',
-        'org.bouncycastle.math.ec.ECFieldElement',
-        'org.bouncycastle.math.ec.ECPoint',
-        'org.bouncycastle.openssl.jcajce.JcaPEMWriter',
-        'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder',
-        'org.bouncycastle.util.Arrays',
-        'org.bouncycastle.util.io.Streams',
-        'org.bouncycastle.cert.jcajce.JcaX509CertificateHolder',
-        'org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider',
-        'org.bouncycastle.cert.X509CertificateHolder',
-        'org.bouncycastle.openssl.PEMKeyPair',
-        'org.bouncycastle.openssl.PEMParser',
-        'org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter',
-        'org.bouncycastle.crypto.InvalidCipherTextException',
-        'org.bouncycastle.jce.provider.BouncyCastleProvider',
+    // Bouncycastle is an optional dependency for apache directory, cryptacular and opensaml packages. We
+    // acknowledge them here instead of adding bouncy castle as a compileOnly dependency
+    'org.bouncycastle.asn1.ASN1Encodable',
+    'org.bouncycastle.asn1.ASN1InputStream',
+    'org.bouncycastle.asn1.ASN1Integer',
+    'org.bouncycastle.asn1.ASN1ObjectIdentifier',
+    'org.bouncycastle.asn1.ASN1OctetString',
+    'org.bouncycastle.asn1.ASN1Primitive',
+    'org.bouncycastle.asn1.ASN1Sequence',
+    'org.bouncycastle.asn1.ASN1TaggedObject',
+    // 'org.bouncycastle.asn1.DEROctetString',
+    'org.bouncycastle.asn1.pkcs.EncryptedPrivateKeyInfo',
+    'org.bouncycastle.asn1.pkcs.EncryptionScheme',
+    'org.bouncycastle.asn1.pkcs.KeyDerivationFunc',
+    'org.bouncycastle.asn1.pkcs.PBEParameter',
+    'org.bouncycastle.asn1.pkcs.PBES2Parameters',
+    'org.bouncycastle.asn1.pkcs.PBKDF2Params',
+    'org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers',
+    'org.bouncycastle.asn1.pkcs.PrivateKeyInfo',
+    'org.bouncycastle.asn1.x500.AttributeTypeAndValue',
+    'org.bouncycastle.asn1.x500.RDN',
+    'org.bouncycastle.asn1.x500.X500Name',
+    'org.bouncycastle.asn1.x509.AccessDescription',
+    'org.bouncycastle.asn1.x509.AlgorithmIdentifier',
+    'org.bouncycastle.asn1.x509.AuthorityKeyIdentifier',
+    'org.bouncycastle.asn1.x509.BasicConstraints',
+    'org.bouncycastle.asn1.x509.DistributionPoint',
+    'org.bouncycastle.asn1.x509.Extension',
+    'org.bouncycastle.asn1.x509.GeneralName',
+    'org.bouncycastle.asn1.x509.GeneralNames',
+    'org.bouncycastle.asn1.x509.GeneralNamesBuilder',
+    'org.bouncycastle.asn1.x509.KeyPurposeId',
+    'org.bouncycastle.asn1.x509.KeyUsage',
+    'org.bouncycastle.asn1.x509.PolicyInformation',
+    'org.bouncycastle.asn1.x509.SubjectKeyIdentifier',
+    'org.bouncycastle.asn1.x509.SubjectPublicKeyInfo',
+    // 'org.bouncycastle.asn1.x9.DomainParameters',
+    // 'org.bouncycastle.asn1.x9.ECNamedCurveTable',
+    'org.bouncycastle.asn1.x9.X9ECParameters',
+    'org.bouncycastle.cert.X509v3CertificateBuilder',
+    'org.bouncycastle.cert.jcajce.JcaX509CertificateConverter',
+    'org.bouncycastle.cert.jcajce.JcaX509ExtensionUtils',
+    'org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder',
+    'org.bouncycastle.crypto.BlockCipher',
+    'org.bouncycastle.crypto.BufferedBlockCipher',
+    'org.bouncycastle.crypto.CipherParameters',
+    'org.bouncycastle.crypto.Digest',
+    'org.bouncycastle.crypto.PBEParametersGenerator',
+    'org.bouncycastle.crypto.StreamCipher',
+    'org.bouncycastle.crypto.agreement.kdf.ConcatenationKDFGenerator',
+    // 'org.bouncycastle.crypto.ec.CustomNamedCurves',
+    'org.bouncycastle.crypto.generators.BCrypt',
+    'org.bouncycastle.crypto.generators.OpenSSLPBEParametersGenerator',
+    'org.bouncycastle.crypto.generators.PKCS5S1ParametersGenerator',
+    'org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator',
+    'org.bouncycastle.crypto.macs.HMac',
+    'org.bouncycastle.crypto.modes.AEADBlockCipher',
+    'org.bouncycastle.crypto.paddings.BlockCipherPadding',
+    'org.bouncycastle.crypto.paddings.PaddedBufferedBlockCipher',
+    'org.bouncycastle.crypto.params.AsymmetricKeyParameter',
+    'org.bouncycastle.crypto.params.DSAKeyParameters',
+    'org.bouncycastle.crypto.params.DSAParameters',
+    'org.bouncycastle.crypto.params.DSAPrivateKeyParameters',
+    'org.bouncycastle.crypto.params.DSAPublicKeyParameters',
+    'org.bouncycastle.crypto.params.ECDomainParameters',
+    'org.bouncycastle.crypto.params.ECKeyParameters',
+    'org.bouncycastle.crypto.params.ECPrivateKeyParameters',
+    'org.bouncycastle.crypto.params.ECPublicKeyParameters',
+    // 'org.bouncycastle.crypto.params.KDFParameters',
+    'org.bouncycastle.crypto.params.KeyParameter',
+    'org.bouncycastle.crypto.params.RSAKeyParameters',
+    'org.bouncycastle.crypto.params.RSAPrivateCrtKeyParameters',
+    'org.bouncycastle.crypto.prng.EntropySource',
+    'org.bouncycastle.crypto.prng.SP800SecureRandom',
+    'org.bouncycastle.crypto.prng.SP800SecureRandomBuilder',
+    'org.bouncycastle.crypto.prng.drbg.SP80090DRBG',
+    'org.bouncycastle.crypto.signers.DSASigner',
+    'org.bouncycastle.crypto.signers.ECDSASigner',
+    'org.bouncycastle.crypto.signers.RSADigestSigner',
+    'org.bouncycastle.crypto.util.PrivateKeyFactory',
+    'org.bouncycastle.crypto.util.PrivateKeyInfoFactory',
+    'org.bouncycastle.crypto.util.PublicKeyFactory',
+    'org.bouncycastle.crypto.util.SubjectPublicKeyInfoFactory',
+    'org.bouncycastle.jcajce.provider.asymmetric.dsa.KeyPairGeneratorSpi',
+    'org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC',
+    'org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyPairGeneratorSpi',
+    'org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util',
+    'org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil',
+    // 'org.bouncycastle.jce.ECNamedCurveTable',
+    // 'org.bouncycastle.jce.spec.ECNamedCurveParameterSpec',
+    'org.bouncycastle.math.ec.ECFieldElement',
+    'org.bouncycastle.math.ec.ECPoint',
+    'org.bouncycastle.openssl.jcajce.JcaPEMWriter',
+    'org.bouncycastle.operator.jcajce.JcaContentSignerBuilder',
+    'org.bouncycastle.util.Arrays',
+    'org.bouncycastle.util.io.Streams',
+    'org.bouncycastle.cert.X509CertificateHolder',
   )
 
   ignoreViolations(
@@ -402,26 +402,21 @@ tasks.named("thirdPartyAudit").configure {
 
 tasks.named("thirdPartyAudit").configure {
   ignoreMissingClasses(
-          'javax.xml.bind.JAXBContext',
-          'javax.xml.bind.JAXBElement',
-          'javax.xml.bind.JAXBException',
-          'javax.xml.bind.Unmarshaller',
-          'javax.xml.bind.UnmarshallerHandler',
-          // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE
-          'org.cryptomator.siv.SivMode',
-          // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037)
-          'com.google.crypto.tink.subtle.Ed25519Sign',
-          'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair',
-          'com.google.crypto.tink.subtle.Ed25519Verify',
-          'com.google.crypto.tink.subtle.X25519',
-          'com.google.crypto.tink.subtle.XChaCha20Poly1305',
-          'com.nimbusds.common.contenttype.ContentType',
-          'javax.activation.ActivationDataFlavor',
-          'javax.activation.DataContentHandler',
-          'javax.activation.DataHandler',
-          'javax.activation.DataSource',
-          'javax.activation.FileDataSource',
-          'javax.activation.FileTypeMap'
+    'javax.xml.bind.JAXBContext',
+    'javax.xml.bind.JAXBElement',
+    'javax.xml.bind.JAXBException',
+    'javax.xml.bind.Unmarshaller',
+    'javax.xml.bind.UnmarshallerHandler',
+    // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE
+    'org.cryptomator.siv.SivMode',
+    'com.nimbusds.common.contenttype.ContentType',
+    'com.nimbusds.common.contenttype.ContentType$Parameter',
+    'javax.activation.ActivationDataFlavor',
+    'javax.activation.DataContentHandler',
+    'javax.activation.DataHandler',
+    'javax.activation.DataSource',
+    'javax.activation.FileDataSource',
+    'javax.activation.FileTypeMap'
   )
 }
 

x-pack/plugin/security/lib/build.gradle

@@ -0,0 +1,13 @@
+// This build deserves an explanation. Nimbus-jose-jwt uses gson internally, which is unfriendly
+// to our usage of the security manager, to a degree that it makes the library extremely difficult
+// to work with safely. The purpose of this build is to create a version of nimbus-jose-jwt with
+// a couple classes replaced with wrappers which work with the security manager, the source files
+// in this directory.
+
+// Because we want to include the original class files so that we can reference them without
+// modification, there are a couple intermediate steps:
+// nimbus-jose-jwt-modified-part1: Create a version of the JAR in which the relevant class files are moved to a different package.
+//      This is not immediately usable as this process rewrites the rest of the JAR to "correctly" reference the new classes. So, we need to...
+// nimbus-jose-jwt-modified-part2: Create a JAR from the result of part 1 which contains *only* the relevant class files by removing everything else.
+// nimbus-jose-jwt-modified: Use the result of part 2 here, combined with the original library, so that we can use our
+//      replacement classes which wrap the original class files.

x-pack/plugin/security/lib/nimbus-jose-jwt-modified-part1/build.gradle

@@ -0,0 +1,29 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+apply plugin: 'elasticsearch.build'
+apply plugin: 'com.github.johnrengelman.shadow'
+
+// See the build.gradle file in the parent directory for an explanation of this unusual build
+
+dependencies {
+  implementation "com.nimbusds:nimbus-jose-jwt:9.37.3"
+}
+
+tasks.named('shadowJar').configure {
+  // Attempting to exclude all of the classes we *don't* move here ought to be possible per the
+  // shadowJar docs, but actually attempting to do so results in an empty JAR. May be a bug in the shadowJar plugin.
+  relocate 'com.nimbusds.jose.util.JSONObjectUtils', 'org.elasticsearch.nimbus.jose.util.JSONObjectUtils'
+  relocate 'com.nimbusds.jose.util.JSONStringUtils', 'org.elasticsearch.nimbus.jose.util.JSONStringUtils'
+}
+
+['jarHell', 'thirdPartyAudit', 'forbiddenApisMain', 'splitPackagesAudit', 'licenseHeaders'].each {
+  tasks.named(it).configure {
+    enabled = false
+  }
+}
+