From 3.19.4 to 4.4.0: IncorrectClaimException on verify()

borgogelli commented 1 year ago

Checklist

[X] I have looked into the Readme and Examples, and have not found a suitable solution or answer.
[X] I have looked into the API documentation and have not found a suitable solution or answer.
[X] I have searched the issues and have not found a suitable solution or answer.
[X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
[X] I agree to the terms within the Auth0 Code of Conduct.

Description

The following junit test is successful with the version 3.19.4 But with the 4.4.0 version throws a com.auth0.jwt.exceptions.IncorrectClaimException exception. While I expect an TokenExpiredException.

Reproduction

    public void test() throws InvalidKeySpecException, NoSuchAlgorithmException {
        String token1 = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIxIiwiYXVkIjoiMGEwMDI3MDAwMDBiIiwibmJmIjoxNTM5NTA4MDcxLCJpc3MiOiJJdWJhciIsImV4cCI6MTUzOTY0MDgwMCwiaWF0IjoxNTM5NTA4NjcxLCJqdGkiOiIxIn0.DyHb9gwjRUUVq6lGva3_Cb17_z_otdcd89pMlySmVWCkdffEHLf1FEQo4OdKrV1blkyMLUcaWOmj_glS-PrfBCSBfNFsWBmuxzo333DiOa41-b37I5pZ3-Bi70T0dou6Q169uu6sLcT4_kwcpP0hBR2_NKhE71qQiiNLXV9bACc";
        // Expiration date: 16/10/2018      
        Assertions.assertThrows(TokenExpiredException.class, () -> {
            DecodedJWT decoded = verifyJwt("0A002700000B", token1);
        });
    }

    private DecodedJWT verifyJwt(String str, String token) throws InvalidKeySpecException, NoSuchAlgorithmException {
        String[] audience = ListUtils.explodeAsArray(",", str);     
        JwtTokenValidator validator = new JwtTokenValidator();      
        Algorithm algorithm = validator.getAlgorithmPublicKey(); 
        Verification verification = JWT.require(algorithm).withIssuer("Iubar").withSubject(String.valueOf("1"));
        for (String mac : audience) {
            verification = verification.withAudience(mac);
        }       
        JWTVerifier verifier =  verification.build();
        DecodedJWT jwt = verifier.verify(token);
        validator.printInfo(jwt);
        return jwt;
    }

Additional context

No response

java-jwt version

4.4.0

Java version

java 11, target 1.8

jimmyjames commented 12 months ago

Thanks @borgogelli for the details and reproduction steps, we'll look into it this week and release a fix if needed. Thanks!

jimmyjames commented 12 months ago

@borgogelli the exception you are seeing is because the actual audience in the JWT does not match the expected audience in the validation (the actual JWT's audience is 0a002700000b, while you have configured the validation to expect 0A002700000B - just incorrect casing). So the exception occurs because the audience does not match. If you were to comment out the audience validation (just to test) you'd receive an TokenExpiredException as expected.

borgogelli commented 12 months ago

e in the JWT does not match the expected audience in the validation (the actual JWT's audience is 0a002700000b, while you have configured the validation t

Hi @jimmyjames thank you for the reply The question is why does the same test pass with version 3.19.4 ?

jimmyjames commented 11 months ago

@borgogelli - in v3 the exp claim is validated prior to the aud claim, resulting in the TokenExpiredException being thrown prior to validating the aud claim (which would throw an IncorrectClaimException if the exp claim were valid). Both cases result in an invalid JWT but different types of JWTVerificationException being thrown due to the order of validation.

borgogelli commented 11 months ago

thank you @jimmyjames for the really comprehensive answer

auth0 / java-jwt