Methods with return type List may return null
Issue #58
closed
E.g. JwtClaims.getAudience() may return null. It's a bad practice and it complitaces usage of the library. Empty list should be returned instead.
Comments (8)
-
repo owner
-
repo owner
BTW, if you are using the JwtConsumer/JwtConsumerBuilder you likely won't need to use JwtClaims.getAudience() directly. Examples at https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples
-
repo owner
- marked as minor
-
reporter
What is the semantic difference between an empty list claim and a claim that is not present at all?
-
repo owner
Depends on the definition of the claim but, for example, the token is only audience restricted if the aud claim is present (http://tools.ietf.org/html/rfc7519#section-4.1.3). No aud claim means no audience restriction. Though not really a realistic case, "aud": [] would mean that the token audience restricted but for no one. The AudValidator https://bitbucket.org/b_c/jose4j/src/539a4f45e2c2bfc18ec3a55b8a69810bdec92d89/src/main/java/org/jose4j/jwt/consumer/AudValidator.java?at=master&fileviewer=file-view-default currently relies on getAudience() retuning null to indicate that there was no aud claim.
-
repo owner
- changed status to resolved
-
reporter
Thanks!
-
repo owner
- changed status to closed
released with v0.5.1
- Log in to comment
Though it's probably unlikely to happen in practice, there are semantic differences between a claim with an empty list value and a claim that's not present in the JWT. The request makes sense but I'll need to do some looking to try and make sure it wouldn't break anything.