Upgrade to Spring Security 5.4.0

The commit also includes an upgrade to Nimbus JOSE JWT 9.0. Spring
Security requires 9.0 and it is not backwards compatible with 8.19.

Closes gh-23225
Closes gh-23242

spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientProperties.java

@@ -105,7 +105,8 @@ public class OAuth2ClientProperties {
 		private String redirectUri;
 
 		/**
-		 * Authorization scopes. May be left blank when using a pre-defined provider.
+		 * Authorization scopes. When left blank the provider's default scopes, if any,
+		 * will be used.
 		 */
 		private Set<String> scope;
 

spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/security/oauth2/client/OAuth2ClientPropertiesRegistrationAdapterTests.java

@@ -309,7 +309,7 @@ class OAuth2ClientPropertiesRegistrationAdapterTests {
 		assertThat(adapted.getAuthorizationGrantType()).isEqualTo(AuthorizationGrantType.AUTHORIZATION_CODE);
 		assertThat(adapted.getRegistrationId()).isEqualTo("okta");
 		assertThat(adapted.getClientName()).isEqualTo(issuer);
-		assertThat(adapted.getScopes()).containsOnly("openid");
+		assertThat(adapted.getScopes()).isNull();
 		assertThat(providerDetails.getAuthorizationUri()).isEqualTo("https://example.com/o/oauth2/v2/auth");
 		assertThat(providerDetails.getTokenUri()).isEqualTo("https://example.com/oauth2/v4/token");
 		assertThat(providerDetails.getJwkSetUri()).isEqualTo("https://example.com/oauth2/v3/certs");

spring-boot-project/spring-boot-dependencies/build.gradle

@@ -1205,7 +1205,7 @@ bom {
 			]
 		}
 	}
-	library("Nimbus JOSE JWT", "8.19") {
+	library("Nimbus JOSE JWT", "9.0") {
 		group("com.nimbusds") {
 			modules = [
 				"nimbus-jose-jwt"
@@ -1623,7 +1623,7 @@ bom {
 			]
 		}
 	}
-	library("Spring Security", "5.4.0-RC1") {
+	library("Spring Security", "5.4.0") {
 		group("org.springframework.security") {
 			imports = [
 				"spring-security-bom"