NullPointerException when checking empty audience

viapivov commented 10 months ago

Checklist

[X] I have looked into the Readme and Examples, and have not found a suitable solution or answer.
[X] I have looked into the API documentation and have not found a suitable solution or answer.
[X] I have searched the issues and have not found a suitable solution or answer.
[X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
[X] I agree to the terms within the Auth0 Code of Conduct.

Description

We've encountered a bug in 4.4.0 when checking if the token is issued for audience that in some cases may be empty. It used to work with 3.19.4.

Here's a snippet to reproduce it.

    @Test
    public void testEmptyAudJwtClaim() {
        String[] allowedAudience = new String[0];
        String token = JWT.create().withAudience("wide audience").sign(Algorithm.HMAC256("secret"));

        JWTVerifier verifier = JWT.require(Algorithm.HMAC256("secret")).withAudience(allowedAudience).build();

        verifier.verify(token);
    }

The workaround we've found is to exclude withAudience check in case if audience is empty.

Reproduction

Claim token
Include check with empty audience
Verify the token to include all the audience

Additional context

No response

java-jwt version

4.4.0

Java version

11

jimmyjames commented 9 months ago

Thanks @viapivov for raising and providing a reproducible test; we'll look into this and get a fix out if there is an update needed for the SDK.

jimmyjames commented 9 months ago

In this case, the validation should fail when expecting a zero-length string array audience claim value; but not with a NullPointerException as it is currently. We'll get a fix in to throw an IncorrectClaimException instead.

auth0 / java-jwt