From 3.19.4 to 4.4.0: IncorrectClaimException on verify()

Question

From 3.19.4 to 4.4.0: IncorrectClaimException on verify()

borgogelli opened this issue a year ago · comments

Andrea Borgogelli Avveduti commented a year ago

Checklist

I have looked into the Readme and Examples, and have not found a suitable solution or answer.
I have looked into the API documentation and have not found a suitable solution or answer.
I have searched the issues and have not found a suitable solution or answer.
I have searched the Auth0 Community forums and have not found a suitable solution or answer.
I agree to the terms within the Auth0 Code of Conduct.

Description

The following junit test is successful with the version 3.19.4
But with the 4.4.0 version throws a com.auth0.jwt.exceptions.IncorrectClaimException exception. While I expect an TokenExpiredException.

Reproduction

	public void test() throws InvalidKeySpecException, NoSuchAlgorithmException {
 		String token1 = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIxIiwiYXVkIjoiMGEwMDI3MDAwMDBiIiwibmJmIjoxNTM5NTA4MDcxLCJpc3MiOiJJdWJhciIsImV4cCI6MTUzOTY0MDgwMCwiaWF0IjoxNTM5NTA4NjcxLCJqdGkiOiIxIn0.DyHb9gwjRUUVq6lGva3_Cb17_z_otdcd89pMlySmVWCkdffEHLf1FEQo4OdKrV1blkyMLUcaWOmj_glS-PrfBCSBfNFsWBmuxzo333DiOa41-b37I5pZ3-Bi70T0dou6Q169uu6sLcT4_kwcpP0hBR2_NKhE71qQiiNLXV9bACc";
		// Expiration date: 16/10/2018 		
		Assertions.assertThrows(TokenExpiredException.class, () -> {
			DecodedJWT decoded = verifyJwt("0A002700000B", token1);
		});
	}
	
	private DecodedJWT verifyJwt(String str, String token) throws InvalidKeySpecException, NoSuchAlgorithmException {
		String[] audience = ListUtils.explodeAsArray(",", str);		
		JwtTokenValidator validator = new JwtTokenValidator();		
		Algorithm algorithm = validator.getAlgorithmPublicKey(); 
		Verification verification = JWT.require(algorithm).withIssuer("Iubar").withSubject(String.valueOf("1"));
		for (String mac : audience) {
	    	verification = verification.withAudience(mac);
		}		
		JWTVerifier verifier =  verification.build();
		DecodedJWT jwt = verifier.verify(token);
		validator.printInfo(jwt);
		return jwt;
	}

Additional context

No response

java-jwt version

4.4.0

Java version

java 11, target 1.8

Jim Anderson · Answer 1 · Mon Sep 11 2023 20:54:35 GMT+0800 (China Standard Time)

Thanks @borgogelli for the details and reproduction steps, we'll look into it this week and release a fix if needed. Thanks!

Jim Anderson · Answer 2 · Tue Sep 12 2023 01:33:34 GMT+0800 (China Standard Time)

@borgogelli the exception you are seeing is because the actual audience in the JWT does not match the expected audience in the validation (the actual JWT's audience is 0a002700000b, while you have configured the validation to expect 0A002700000B - just incorrect casing). So the exception occurs because the audience does not match. If you were to comment out the audience validation (just to test) you'd receive an TokenExpiredException as expected.

Andrea Borgogelli Avveduti · Answer 3 · Tue Sep 12 2023 16:48:20 GMT+0800 (China Standard Time)

e in the JWT does not match the expected audience in the validation (the actual JWT's audience is 0a002700000b, while you have configured the validation t

Hi @jimmyjames thank you for the reply
The question is why does the same test pass with version 3.19.4 ?

Jim Anderson · Answer 4 · Tue Sep 19 2023 02:33:27 GMT+0800 (China Standard Time)

@borgogelli - in v3 the exp claim is validated prior to the aud claim, resulting in the TokenExpiredException being thrown prior to validating the aud claim (which would throw an IncorrectClaimException if the exp claim were valid). Both cases result in an invalid JWT but different types of JWTVerificationException being thrown due to the order of validation.

Andrea Borgogelli Avveduti · Answer 5 · Tue Sep 19 2023 15:58:39 GMT+0800 (China Standard Time)

thank you @jimmyjames for the really comprehensive answer