Token authentication fails when jwt-audience is not defined

[mkuchtiak]

Environment Details

• Helidon Version: 2.5.0 (2.4.2)
• Helidon SE or Helidon MP: MP
• JDK version: 11.0.9
• OS:
• Docker version (if applicable):

---

Problem Description

Error 401 is returned when one microservice sends request to another

Problem is caused with the following method in JwtProvider, that throws NPE:

    private AuthenticationResponse authenticateToken(String token) {
        SignedJwt signedJwt;
        try {
            signedJwt = SignedJwt.parseToken(token);
        } catch (Exception e) {
            //invalid token
            return failOrAbstain("Invalid token" + e);
        }
        if (verifySignature) {
            Errors errors = signedJwt.verifySignature(verifyKeys, defaultJwk);
            if (errors.isValid()) {
                Jwt jwt = signedJwt.getJwt();
                // verify the audience is correct
                Errors validate = jwt.validate(null, expectedAudience);                              // this throws NPE when expectedAudience is null
                if (validate.isValid()) {
                    return AuthenticationResponse.success(buildSubject(jwt, signedJwt));
                } else {
                    return failOrAbstain("Audience is invalid or missing: " + expectedAudience);
                }
            } else {
                return failOrAbstain(errors.toString());
            }
        } else {
            return AuthenticationResponse.success(buildSubject(signedJwt.getJwt(), signedJwt));
        }
    }

The jwt.validate() calls the Jwt#validate method:

    public Errors validate(String issuer, String audience) {
        return validate(issuer, Set.of(audience));
    }

That throws NPE when audience is null

This NPE is propagated to error 401 in the end

Formerly, in Helidon 2.3.0 the audience null value was handled properly.