Summary

If the token is expired, an exception will get thrown when getting the audience. Therefore, you can never get the audience from an expired token.

It is desirable behavior of a library which is used to parse JWT - https://github.com/jwtk/jjwt (https://github.com/jwtk/jjwt/blob/master/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java#L369).

Yes, I'm reporting this issue because the part where we are getting the audience from the token is never invoked.
https://github.com/szerhusenBC/jwt-spring-security-demo/blob/master/src/main/java/org/zerhusen/security/JwtTokenUtil.java#L92

Oh, I see, you're right. Do you have any idea how to get claims from an expired token?

I'm closing this ticket because I removed the device/audience support. The mobile starter is actually not supported by Spring Boot 2.