No longer able to use "ArrayList" in "aud" claim #787
Comments
|
However, it is still possible to obtain the result using setContent as documented, to the expense of not being able to use the convenient helper methods to set other claims. |
|
Hi there - when you say "current main", do you mean a build created from the |
|
I think I see - you were avoiding the previous Yes, the current main branch does tighter type assertions, and the current logic is incorrect - it must allow an array of strings or a single string. So it seems that the If this seems incorrect, please let me know. Thanks for reporting this!!! |
|
Yes, I guess having "aud" being a list, and falling back on a single string in case there is only one value is a good way to go. It will be compatible with RFC 7519 (even if the RFC does not make the fallback on single string in case of only one value mandatory). List<String> getAudience()
String getFirstAudience()to make it easier to manage audience when what we want is a single value. |
|
Good idea here - thanks for the idea and feedback! We'll definitely work on this before cutting a release |
|
I can try to work on a pull request for it. public JwtBuilder setAudience(String aud);
public JwtBuilder setAudience(List<String> aud);I saw that |
|
Maybe
|
|
I would hold off on a PR for a little bit - there's a bit of change I'm working on for immutable |
|
Thinking out loud: I wonder if it makes sense to make Also, This way an app developer never needs to account for two data types in their code (which is undesirable IMO). Then you can do something like this:
One downside of this approach is that if the JWT creator needs to have it be a string claim (and not an array of strings) - perhaps because the JWT receiver blindly requires a String value and hasn't been updated to read arrays yet - there might need to be another way to just set a |
Yes, this is the tricky part I was hinting at in my potential merge conflict comment. This is the first time encountering a single-member-can-be-two-types case, so it might be forced to be |
|
There are some older clients that assume the That said... Maybe that is something that is configured on the serializer? (and implement the api/impl as @lhazlewood suggests) 🤔 |
|
I had the same impression. I did experiment with a I'm not fond of the |
|
Sorry I didn't notice your message about better work in that after your work on immutable instances. That's fine for me. I'm playing with the code to learn, and explore options. |
|
I realized we have a couple issues open relating to |
Describe the bug
Using 0.11.5, one is able to define a "aud" claim that is a list, as allowed by the standard.
With current main, it is no longer possible, resulting in an error.
To Reproduce
Steps to reproduce the behavior:
With 0.11.5, this code worked:
List resources = Arrays.asList("foo", "bar");
JwtBuilder tokenBuilder = Jwts.builder()
.signWith(pKey.getPrivate())
.setSubject(subject)
.claim(Claims.AUDIENCE, resources)
.build()
With current main, it produces:
"java.lang.IllegalArgumentException: Invalid JWT Claim 'aud' (Audience) value: [foo,bar]. Unsupported value type. Expected: java.lang.String, found: java.util.ArrayList
Expected behavior
Expected to be still able to use the "claim" method to set a custom but standard defined claim value for "aud".
The text was updated successfully, but these errors were encountered: