Jwt list of audience in Spring

Question

When creating the token, I've set a list of audience as follows:

JwtClaims claims = new JwtClaims();
        claims.setIssuer(issuer);
        claims.setAudience(Lists.newArrayList(audiences));
        claims.setExpirationTimeMinutesInTheFuture(60);
        claims.setJwtId(keyId);
        claims.setIssuedAtToNow(); 
        claims.setNotBeforeMinutesInThePast(2);
        claims.setSubject(subject);

The problem comes on the consumer side that is not giving me the expected audience. This is what I've done on the consumer side:

JwtConsumer jwtConsumer = new JwtConsumerBuilder()
                .setRequireExpirationTime()
                .setAllowedClockSkewInSeconds(30)
                .setRequireSubject()
                .setExpectedIssuer(issuer)
                .setExpectedAudience(String.valueOf(Lists.newArrayList(audiences)))
                .setVerificationKey(rsaJsonWebKey.getKey())
                .build();

There's something wrong with the setExpectedAudience but I can't find the problem. This is what I got in the console.

Invalid JWT! org.jose4j.jwt.consumer.InvalidJwtException: JWT (claims->{"iss":"EXAMPLEISSUER","aud":["test1","test2","test3"],"exp":1657880599,"jti":"EXAMPLE_SHA1withRSA","iat":1657876999,"nbf":1657876879,"sub":"example"}) rejected due to invalid claims or other invalid content. Additional details: [[8] Audience (aud) claim [test1, test2, test3] doesn't contain an acceptable identifier. Expected [test1, test2, test3] as an aud value.]

Your IDE should help you with this. You are using `setExpectedAudience` wrong: https://javadoc.io/doc/org.bitbucket.b_c/jose4j/0.5.1/org/jose4j/jwt/consumer/JwtConsumerBuilder.html#setExpectedAudience(boolean,%20java.lang.String...) — Salil, Jul 15 '22 at 13:19
I've tried this also but nothing. .setExpectedAudience(false, String.valueOf(audiences)) — DiegoMG, Jul 15 '22 at 13:35

score 1 · Answer 1 · answered Jul 15 '22 at 14:42

1

setExpectedAudience() accepts varargs, so make an ordinary String[] array from your audiences and use it as an argument.

answered Jul 15 '22 at 14:42

dekkard

6,121
1
16
26

I've declare my audiences as a @Value("#{'${example.audience}'.split(',')}") private List audiences; – DiegoMG Jul 15 '22 at 14:51
What worked for me was this: .setExpectedAudience(true, audiences.toArray(new String[]{})) but I don't know if it's right – DiegoMG Jul 15 '22 at 15:18
1

.. which is exactly what you can see in my answer – dekkard Jul 16 '22 at 21:27

Jwt list of audience in Spring

1 Answers1