From 3.19.4 to 4.4.0: IncorrectClaimException on verify()
borgogelli opened this issue · comments
Checklist
- I have looked into the Readme and Examples, and have not found a suitable solution or answer.
- I have looked into the API documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Description
The following junit test is successful with the version 3.19.4
But with the 4.4.0 version throws a com.auth0.jwt.exceptions.IncorrectClaimException exception. While I expect an TokenExpiredException.
Reproduction
public void test() throws InvalidKeySpecException, NoSuchAlgorithmException {
String token1 = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIxIiwiYXVkIjoiMGEwMDI3MDAwMDBiIiwibmJmIjoxNTM5NTA4MDcxLCJpc3MiOiJJdWJhciIsImV4cCI6MTUzOTY0MDgwMCwiaWF0IjoxNTM5NTA4NjcxLCJqdGkiOiIxIn0.DyHb9gwjRUUVq6lGva3_Cb17_z_otdcd89pMlySmVWCkdffEHLf1FEQo4OdKrV1blkyMLUcaWOmj_glS-PrfBCSBfNFsWBmuxzo333DiOa41-b37I5pZ3-Bi70T0dou6Q169uu6sLcT4_kwcpP0hBR2_NKhE71qQiiNLXV9bACc";
// Expiration date: 16/10/2018
Assertions.assertThrows(TokenExpiredException.class, () -> {
DecodedJWT decoded = verifyJwt("0A002700000B", token1);
});
}
private DecodedJWT verifyJwt(String str, String token) throws InvalidKeySpecException, NoSuchAlgorithmException {
String[] audience = ListUtils.explodeAsArray(",", str);
JwtTokenValidator validator = new JwtTokenValidator();
Algorithm algorithm = validator.getAlgorithmPublicKey();
Verification verification = JWT.require(algorithm).withIssuer("Iubar").withSubject(String.valueOf("1"));
for (String mac : audience) {
verification = verification.withAudience(mac);
}
JWTVerifier verifier = verification.build();
DecodedJWT jwt = verifier.verify(token);
validator.printInfo(jwt);
return jwt;
}
Additional context
No response
java-jwt version
4.4.0
Java version
java 11, target 1.8
Thanks @borgogelli for the details and reproduction steps, we'll look into it this week and release a fix if needed. Thanks!
@borgogelli the exception you are seeing is because the actual audience in the JWT does not match the expected audience in the validation (the actual JWT's audience is 0a002700000b
, while you have configured the validation to expect 0A002700000B
- just incorrect casing). So the exception occurs because the audience does not match. If you were to comment out the audience validation (just to test) you'd receive an TokenExpiredException
as expected.
e in the JWT does not match the expected audience in the validation (the actual JWT's audience is
0a002700000b
, while you have configured the validation t
Hi @jimmyjames thank you for the reply
The question is why does the same test pass with version 3.19.4 ?
@borgogelli - in v3 the exp
claim is validated prior to the aud
claim, resulting in the TokenExpiredException
being thrown prior to validating the aud
claim (which would throw an IncorrectClaimException
if the exp
claim were valid). Both cases result in an invalid JWT but different types of JWTVerificationException
being thrown due to the order of validation.
thank you @jimmyjames for the really comprehensive answer