empty expected audience array should throw InvalidClaimException (#679)

jimmyjames · web-flow · commit d5c05d73a245 · 2023-12-01T06:48:30.000-06:00
diff --git a/lib/src/main/java/com/auth0/jwt/JWTVerifier.java b/lib/src/main/java/com/auth0/jwt/JWTVerifier.java
@@ -364,12 +364,19 @@ private boolean assertInstantIsLessThanOrEqualToNow(Instant claimVal, long leewa
         }
 
         private boolean assertValidAudienceClaim(
-                List<String> audience,
-                List<String> values,
+                List<String> actualAudience,
+                List<String> expectedAudience,
                 boolean shouldContainAll
         ) {
-            return !(audience == null || (shouldContainAll && !audience.containsAll(values))
-                    || (!shouldContainAll && Collections.disjoint(audience, values)));
+            if (actualAudience == null || expectedAudience == null) {
+                return false;
+            }
+
+            if (shouldContainAll) {
+                return actualAudience.containsAll(expectedAudience);
+            } else {
+                return !Collections.disjoint(actualAudience, expectedAudience);
+            }
         }
 
         private void assertPositive(long leeway) {
diff --git a/lib/src/test/java/com/auth0/jwt/JWTVerifierTest.java b/lib/src/test/java/com/auth0/jwt/JWTVerifierTest.java
@@ -310,6 +310,21 @@ public void shouldThrowWhenAudienceClaimIsNullWithAnAudience() {
         assertThat(e.getClaimValue().asArray(String.class), is(new String[] {null}));
     }
 
+    @Test
+    public void shouldThrowWhenExpectedEmptyList() {
+        IncorrectClaimException e = assertThrows(null, IncorrectClaimException.class, () -> {
+            // Token 'aud': 'wide audience'
+            String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ3aWRlIGF1ZGllbmNlIn0.c9anq03XepcuEKWEVsPk9cck0sIIfrT6hHbBsCar49o";
+            JWTVerifier.init(Algorithm.HMAC256("secret"))
+                    .withAnyOfAudience(new String[0])
+                    .build()
+                    .verify(token);
+        });
+        assertThat(e.getMessage(), is("The Claim 'aud' value doesn't contain the required audience."));
+        assertThat(e.getClaimName(), is(RegisteredClaims.AUDIENCE));
+        assertThat(e.getClaimValue().asString(), is("wide audience"));
+    }
+
     @Test
     public void shouldNotReplaceWhenMultipleChecksAreAdded() {
         JWTVerifier verifier = JWTVerifier.init(Algorithm.HMAC256("secret"))
