Aud with empty string returns empty List

andrewrigas commented 1 year ago

Checklist

[X] I have looked into the Readme and Examples, and have not found a suitable solution or answer.
[X] I have looked into the API documentation and have not found a suitable solution or answer.
[X] I have searched the issues and have not found a suitable solution or answer.
[X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
[X] I agree to the terms within the Auth0 Code of Conduct.

Description

When an audience with empty string pass to the payload when we try to decode it returns empty list instead of list with empty string.

Header

{
  "alg": "none",
  "typ": "JWT"
}

Payload

{
  "aud": ""
}

Reproduction

val token      = JWT.create().withAudience("").sign(Algorithm.none())
val decodedJWT = JWT.require(Algorithm.none()).build().verify(token)

// Also this issue expands to withAudience("") provided requirements on verification.

println(s"$token") // eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJhdWQiOiIifQ.
println(s"** ${decodedJWT.getAudience}") // []
println(s"*** ${decodedJWT.getAudience.size()}") // 0

Additional context

No response

java-jwt version

4.4.0

Java version

Oracle Corporation Java 11.0.16.1

jimmyjames commented 1 year ago

Thanks for the info @andrewrigas!

You are correct; when the claim value is a string, it's only added to a singleton list if the value is not empty (source).

The code has been there for over seven years, so I'd like to try and understand any specific use cases that it was added for before making any changes.

I'm curious, what is the use case with an empty audience string that caused you to encounter this?

andrewrigas commented 1 year ago

Hey @jimmyjames,

No use case other than just the behaviour is unexpected when an empty string is inserted. I have property-base testing enabled in my tests and when I allow empty strings to be generated I get this error.

I would like to see the reason but also this to get resolved. ~I tried instead reading it manually with java-jwt API and still got into the same problem. So, it's not just audience its a general bug with Lists and single empty string.~

jimmyjames commented 1 year ago

Thanks @andrewrigas, do you have another example of the same behavior with Lists and single empty strings behaving the same way?

andrewrigas commented 1 year ago

Thanks @andrewrigas, do you have another example of the same behavior with Lists and single empty strings behaving the same way?

I am not able to reproduce it again. Maybe I was doing something wrong. So probably it's just aud claim.

jimmyjames commented 1 year ago

No worries, I'll take a look again, but I'm pretty sure the code in question is only used for the aud claim.

andrewrigas commented 1 year ago

@jimmyjames let me know if this is something that can be fixed, I can also help if needed.

jimmyjames commented 1 year ago

Hey @andrewrigas, I've made #663 to fix the issue, feel free to take a look (pretty simple change). Thanks!

auth0 / java-jwt