Aud with empty string returns empty List

Question

Aud with empty string returns empty List

andrewrigas opened this issue a year ago · comments

Checklist

I have looked into the Readme and Examples, and have not found a suitable solution or answer.
I have looked into the API documentation and have not found a suitable solution or answer.
I have searched the issues and have not found a suitable solution or answer.
I have searched the Auth0 Community forums and have not found a suitable solution or answer.
I agree to the terms within the Auth0 Code of Conduct.

Description

When an audience with empty string pass to the payload when we try to decode it returns empty list instead of list with empty string.

Header

{
  "alg": "none",
  "typ": "JWT"
}

Payload

{
  "aud": ""
}

Reproduction

val token      = JWT.create().withAudience("").sign(Algorithm.none())
val decodedJWT = JWT.require(Algorithm.none()).build().verify(token)

// Also this issue expands to withAudience("") provided requirements on verification.

println(s"$token") // eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJhdWQiOiIifQ.
println(s"** ${decodedJWT.getAudience}") // []
println(s"*** ${decodedJWT.getAudience.size()}") // 0

Additional context

No response

java-jwt version

4.4.0

Java version

Oracle Corporation Java 11.0.16.1

Jim Anderson · Answer 1 · Wed May 31 2023 05:40:07 GMT+0800 (China Standard Time)

Thanks for the info @andrewrigas!

You are correct; when the claim value is a string, it's only added to a singleton list if the value is not empty (source).

The code has been there for over seven years, so I'd like to try and understand any specific use cases that it was added for before making any changes.

I'm curious, what is the use case with an empty audience string that caused you to encounter this?

Andreas Rigas · Answer 2 · Wed May 31 2023 06:13:20 GMT+0800 (China Standard Time)

Hey @jimmyjames,

No use case other than just the behaviour is unexpected when an empty string is inserted. I have property-base testing enabled in my tests and when I allow empty strings to be generated I get this error.

I would like to see the reason but also this to get resolved. ~~I tried instead reading it manually with java-jwt API and still got into the same problem. So, it's not just audience its a general bug with Lists and single empty string.~~

Jim Anderson · Answer 3 · Wed May 31 2023 07:48:33 GMT+0800 (China Standard Time)

Thanks @andrewrigas, do you have another example of the same behavior with Lists and single empty strings behaving the same way?

Andreas Rigas · Answer 4 · Wed May 31 2023 08:26:14 GMT+0800 (China Standard Time)

Thanks @andrewrigas, do you have another example of the same behavior with Lists and single empty strings behaving the same way?

I am not able to reproduce it again. Maybe I was doing something wrong. So probably it's just aud claim.

Jim Anderson · Answer 5 · Wed May 31 2023 10:49:51 GMT+0800 (China Standard Time)

No worries, I'll take a look again, but I'm pretty sure the code in question is only used for the aud claim.

Andreas Rigas · Answer 6 · Wed May 31 2023 19:59:39 GMT+0800 (China Standard Time)

@jimmyjames let me know if this is something that can be fixed, I can also help if needed.

Jim Anderson · Answer 7 · Fri Jun 02 2023 09:59:08 GMT+0800 (China Standard Time)

Hey @andrewrigas, I've made #663 to fix the issue, feel free to take a look (pretty simple change). Thanks!