[7.x] Update oauth2-oidc-sdk and nimbus-jose-jwt (#48537)

x-pack/plugin/security/build.gradle

@@ -56,8 +56,8 @@ dependencies {
     compile 'com.google.guava:guava:19.0'
 
     // Dependencies for oidc
-    compile "com.nimbusds:oauth2-oidc-sdk:6.5"
-    compile "com.nimbusds:nimbus-jose-jwt:4.41.2"
+    compile "com.nimbusds:oauth2-oidc-sdk:6.16.5"
+    compile "com.nimbusds:nimbus-jose-jwt:8.2"
     compile "com.nimbusds:lang-tag:1.4.4"
     compile "com.sun.mail:jakarta.mail:1.6.3"
     compile "net.jcip:jcip-annotations:1.0"
@@ -82,7 +82,7 @@ dependencies {
     testCompile('org.apache.kerby:kerb-crypto:1.1.1')
     testCompile('org.apache.kerby:kerb-util:1.1.1')
     testCompile('org.apache.kerby:token-provider:1.1.1')
-    testCompile('com.nimbusds:nimbus-jose-jwt:4.41.2')
+    testCompile('com.nimbusds:nimbus-jose-jwt:8.2')
     testCompile('net.jcip:jcip-annotations:1.0')
     testCompile('org.apache.kerby:kerb-admin:1.1.1')
     testCompile('org.apache.kerby:kerb-server:1.1.1')
@@ -270,7 +270,13 @@ thirdPartyAudit {
         // [missing classes] SLF4j includes an optional class that depends on an extension class (!)
         'org.slf4j.ext.EventData',
         // Optional dependency of oauth2-oidc-sdk that we don't need since we do not support AES-SIV for JWE
-        'org.cryptomator.siv.SivMode'
+        'org.cryptomator.siv.SivMode', 
+        // Optional dependency of nimbus-jose-jwt for handling Ed25519 signatures and ECDH with X25519 (RFC 8037)   
+        'com.google.crypto.tink.subtle.Ed25519Sign',
+        'com.google.crypto.tink.subtle.Ed25519Sign$KeyPair',
+        'com.google.crypto.tink.subtle.Ed25519Verify',
+        'com.google.crypto.tink.subtle.X25519'
+
     )
 
     ignoreViolations (

x-pack/plugin/security/licenses/nimbus-jose-jwt-8.2.jar.sha1

@@ -0,0 +1 @@
+3cc99de85969253f2f085c39d87124e21011ae74

x-pack/plugin/security/licenses/oauth2-oidc-sdk-6.16.5.jar.sha1

@@ -0,0 +1 @@
+690bf0290fe0c03dabfb43566dbd334f78ddce84

x-pack/plugin/security/src/test/java/org/elasticsearch/xpack/security/authc/oidc/OpenIdConnectAuthenticatorTests.java

@@ -10,6 +10,7 @@
 import com.nimbusds.jose.crypto.ECDSASigner;
 import com.nimbusds.jose.crypto.MACSigner;
 import com.nimbusds.jose.crypto.RSASSASigner;
+import com.nimbusds.jose.jwk.Curve;
 import com.nimbusds.jose.jwk.ECKey;
 import com.nimbusds.jose.jwk.JWK;
 import com.nimbusds.jose.jwk.JWKSet;
@@ -971,7 +972,7 @@ private Tuple<Key, JWKSet> getRandomJwkForType(String type) throws Exception {
 
         } else if (type.equals("ES")) {
             hashSize = randomFrom(256, 384, 512);
-            ECKey.Curve curve = curveFromHashSize(hashSize);
+            Curve curve = curveFromHashSize(hashSize);
             KeyPairGenerator gen = KeyPairGenerator.getInstance("EC");
             gen.initialize(curve.toECParameterSpec());
             KeyPair keyPair = gen.generateKeyPair();
@@ -986,13 +987,13 @@ private Tuple<Key, JWKSet> getRandomJwkForType(String type) throws Exception {
         return new Tuple(key, new JWKSet(jwk));
     }
 
-    private ECKey.Curve curveFromHashSize(int size) {
+    private Curve curveFromHashSize(int size) {
         if (size == 256) {
-            return ECKey.Curve.P_256;
+            return Curve.P_256;
         } else if (size == 384) {
-            return ECKey.Curve.P_384;
+            return Curve.P_384;
         } else if (size == 512) {
-            return ECKey.Curve.P_521;
+            return Curve.P_521;
         } else {
             throw new IllegalArgumentException("Invalid hash size:" + size);
         }