Audience claim required validator
Issue #26
duplicate
When a JwtConsumer built with .setExpectedAudience(false) parses a JWT that contains an audience claim, it will throw an exception stating "Audience (aud) claim [some.aud] present .... Expected one of [] as an aud value."
The boolean name for this option is requireAudienceClaim so I believe by providing false I would skip validation of the claim, regardless of whether it is present or not. In my use case, I am trying to validate only one aspect of the JWT (expiration time). My expected use would be .setSkipSignatureVerification() and .setRequireExpirationTime() But it turns out I needed those two along with .setExpectedAudience(false, "some.aud")
So the behavior of all the other validators seems to be ambivalence to whether the claims are present or not, until specified in the builder - with the exception of Audience.
Comments (2)
-
repo owner
-
repo owner
- changed status to duplicate
Duplicate of
#19. - Log in to comment
As of the just released v.0.4.2 there's a setSkipDefaultAudienceValidation() on the builder that I think will do what you're looking for (
#19has a little more info that maybe useful). Please use it carefully though.I know I need to actually write some better docs and can see how requireAudienceClaim is potentially misleading. That requireAudienceClaim=true is a way to say that an aud claim must be present and to fail validation, if there's no aud. But requireAudienceClaim=false doesn't mean that no aud checking is done, it means that a JWT without an aud is acceptable.
JwtConsumer[Builder] attempts to follow the spec and have secure options on by default. Checking the aud claim whenever it is present is part of that - but it needs to be given the acceptable audience values. FWIW, the exp and nbf claims are also validated by default whenever they are present in a JWT but the current time is used.