empty expected audience array should throw InvalidClaimException (#679)

auth0 · Dec 1, 2023 · d5c05d7 · d5c05d7
1 parent bad6035
commit d5c05d7
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 4 deletions.
diff --git a/lib/src/main/java/com/auth0/jwt/JWTVerifier.java b/lib/src/main/java/com/auth0/jwt/JWTVerifier.java
@@ -364,12 +364,19 @@ private boolean assertInstantIsLessThanOrEqualToNow(Instant claimVal, long leewa
         }
 
         private boolean assertValidAudienceClaim(
-                List<String> audience,
-                List<String> values,
+                List<String> actualAudience,
+                List<String> expectedAudience,
                 boolean shouldContainAll
         ) {
-            return !(audience == null || (shouldContainAll && !audience.containsAll(values))
-                    || (!shouldContainAll && Collections.disjoint(audience, values)));
+            if (actualAudience == null || expectedAudience == null) {
+                return false;
+            }
+
+            if (shouldContainAll) {
+                return actualAudience.containsAll(expectedAudience);
+            } else {
+                return !Collections.disjoint(actualAudience, expectedAudience);
+            }
         }
 
         private void assertPositive(long leeway) {

diff --git a/lib/src/test/java/com/auth0/jwt/JWTVerifierTest.java b/lib/src/test/java/com/auth0/jwt/JWTVerifierTest.java
@@ -310,6 +310,21 @@ public void shouldThrowWhenAudienceClaimIsNullWithAnAudience() {
         assertThat(e.getClaimValue().asArray(String.class), is(new String[] {null}));
     }
 
+    @Test
+    public void shouldThrowWhenExpectedEmptyList() {
+        IncorrectClaimException e = assertThrows(null, IncorrectClaimException.class, () -> {
+            // Token 'aud': 'wide audience'
+            String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3aWRlIGF1ZGllbmNlIn0.c9anq03XepcuEKWEVsPk9cck0sIIfrT6hHbBsCar49o";
+            JWTVerifier.init(Algorithm.HMAC256("secret"))
+                    .withAnyOfAudience(new String[0])
+                    .build()
+                    .verify(token);
+        });
+        assertThat(e.getMessage(), is("The Claim 'aud' value doesn't contain the required audience."));
+        assertThat(e.getClaimName(), is(RegisteredClaims.AUDIENCE));
+        assertThat(e.getClaimValue().asString(), is("wide audience"));
+    }
+
     @Test
     public void shouldNotReplaceWhenMultipleChecksAreAdded() {
         JWTVerifier verifier = JWTVerifier.init(Algorithm.HMAC256("secret"))