DefaultJWTClaimsVerifier's exception message has a non-deterministic order

If not all the required claims are present, the order in which the missing claims is presented in the BadJWTException message is non-deterministic due to the use of the HashSet. This isn't particularly problematic by itself, but the DefaultJWTClaimsVerifierTest.testRequiresMultiple relies on a particular ordering of the missing claims and will fail depending on the behavior of your HashSet.

Suggest: Sort the missing claims before presenting, so there's always the exact same exception message independent of the hash implementation, e.g., using a SortedSet instead of a HashSet.
Alternative: Refactor the test to avoid relying on the specific ordering of the output.

‌

Comments (3)