microsoft-authentication-library-for-java icon indicating copy to clipboard operation
microsoft-authentication-library-for-java copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Reduce usage of external dependencies

Open Avery-Dunn opened this issue 9 months ago • 0 comments

The Azure Identity SDK project is aiming to minimize the number of external dependencies, as they can lead to security risks and compatibility issues for customers.

The specific ask for MSAL Java is to evaluate and remove these dependencies:

  • [ ] com.nimbusds.oauth-oidc-sdk
    • Only used for some very specific OAuth behaviors. Risk of regression and must be thoroughly tested
    • https://github.com/AzureAD/microsoft-authentication-library-for-java/issues/889
  • [ ] net.minidev.json-smart
    • Azure SDK team suggested an alternative package for JSON parsing: azure-json
    • Unfortunately the main places we use this are due to it being used in com.nimbusds.oauth-oidc-sdk, so this cannot be easily removed without also removing com.nimbusds.oauth-oidc-sdk
  • [ ] org.slf4j.slf4j-api & org.slf4j.slf4j-simple
    • Azure SDK team suggested reflective approach to loading the SLF4j types if they are on the class path, example here
  • [ ] org.projectlombok.lombok
    • Can simply be replaced by the same code it generates
  • [ ] com.fasterxml.jackson.core
    • https://github.com/AzureAD/microsoft-authentication-library-for-java/issues/441
    • Available in azure-core https://mvnrepository.com/artifact/com.azure/azure-core
    • Can be replaced by https://mvnrepository.com/artifact/com.azure/azure-json

Avery-Dunn avatar Feb 12 '25 18:02 Avery-Dunn