OAuth2: Allow empty JWTOptions.audience (eclipse-vertx#732)

Traderjoe95 · tsegismont · commit f3a868930936 · 2025-09-26T17:40:58.000+02:00
diff --git a/vertx-auth-oauth2/src/main/java/io/vertx/ext/auth/oauth2/impl/OAuth2AuthProviderImpl.java b/vertx-auth-oauth2/src/main/java/io/vertx/ext/auth/oauth2/impl/OAuth2AuthProviderImpl.java
@@ -644,7 +644,7 @@ private JsonObject validToken(JsonObject token, boolean idToken) throws IllegalS
       }
     }
 
-    if (target != null && target.size() > 0) {
+    if (target != null && !target.isEmpty()) {
       if (idToken || jwtOptions.getAudience() == null) {
         // https://openid.net/specs/openid-connect-core-1_0.html#  $3.1.3.7.
         // The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer
@@ -654,7 +654,7 @@ private JsonObject validToken(JsonObject token, boolean idToken) throws IllegalS
         if (!target.contains(config.getClientId())) {
           throw new IllegalStateException("Invalid JWT audience. expected: " + config.getClientId());
         }
-      } else {
+      } else if (!jwtOptions.getAudience().isEmpty()) {
         if (Collections.disjoint(jwtOptions.getAudience(), target.getList())) {
           throw new IllegalStateException("Invalid JWT audience. expected: " + Json.encode(jwtOptions.getAudience()));
         }
diff --git a/vertx-auth-oauth2/src/test/java/io/vertx/tests/Oauth2TokenAudienceTest.java b/vertx-auth-oauth2/src/test/java/io/vertx/tests/Oauth2TokenAudienceTest.java
@@ -15,6 +15,8 @@
 import org.junit.Test;
 import org.junit.runner.RunWith;
 
+import java.util.ArrayList;
+
 @RunWith(VertxUnitRunner.class)
 public class Oauth2TokenAudienceTest {
 
@@ -115,4 +117,281 @@ public void testBadAudience(TestContext should) {
         should.fail("Audience is incorrect");
       });
   }
+
+  @Test
+  public void testGoodDefaultAudience(TestContext should) {
+    final Async test = should.async();
+
+    JsonObject jwk = new JsonObject()
+      .put("kty", "RSA")
+      .put("n", "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw")
+      .put("e", "AQAB")
+      .put("d", "X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqijwp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d_cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBznbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFzme1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q")
+      .put("p", "83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPVnwD20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuVIYQyqVWlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs")
+      .put("q", "3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyumqjVZQO1dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgxkIdrecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk")
+      .put("dp", "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0")
+      .put("dq", "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk")
+      .put("qi", "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU")
+      .put("alg", "RS256")
+      .put("kid", "2011-04-29");
+
+    OAuth2Options options = new OAuth2Options()
+      .setClientId("client-id")
+      .setClientSecret("client-secret")
+      .addJwk(jwk)
+      .setJWTOptions(
+        new JWTOptions()
+          .setAudience(null));
+
+    JWTAuth jwt = JWTAuth.create(rule.vertx(), new JWTAuthOptions().addJwk(jwk));
+    OAuth2Auth oauth2 = OAuth2Auth.create(rule.vertx(), options);
+
+    JsonObject payload = new JsonObject()
+      .put("sub", "Paulo");
+
+    final String token = jwt.generateToken(payload,
+      new JWTOptions().setAlgorithm("RS256").addAudience("a").addAudience("b").addAudience("client-id"));
+
+    should.assertNotNull(token);
+
+    TokenCredentials authInfo = new TokenCredentials(token);
+
+    oauth2.authenticate(authInfo)
+      .onFailure(should::fail)
+      .onSuccess(res -> {
+        should.assertNotNull(res);
+        test.complete();
+      });
+  }
+
+  @Test
+  public void testBadDefaultAudience(TestContext should) {
+    final Async test = should.async();
+
+    JsonObject jwk = new JsonObject()
+      .put("kty", "RSA")
+      .put("n", "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw")
+      .put("e", "AQAB")
+      .put("d", "X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqijwp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d_cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBznbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFzme1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q")
+      .put("p", "83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPVnwD20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuVIYQyqVWlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs")
+      .put("q", "3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyumqjVZQO1dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgxkIdrecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk")
+      .put("dp", "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0")
+      .put("dq", "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk")
+      .put("qi", "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU")
+      .put("alg", "RS256")
+      .put("kid", "2011-04-29");
+
+    OAuth2Options options = new OAuth2Options()
+      .setClientId("client-id")
+      .setClientSecret("client-secret")
+      .addJwk(jwk)
+      .setJWTOptions(
+        new JWTOptions()
+          .setAudience(null));
+
+    JWTAuth jwt = JWTAuth.create(rule.vertx(), new JWTAuthOptions().addJwk(jwk));
+    OAuth2Auth oauth2 = OAuth2Auth.create(rule.vertx(), options);
+
+    JsonObject payload = new JsonObject()
+      .put("sub", "Paulo");
+
+    final String token = jwt.generateToken(payload,
+      new JWTOptions().setAlgorithm("RS256").addAudience("a").addAudience("b").addAudience("c"));
+
+    should.assertNotNull(token);
+
+    TokenCredentials authInfo = new TokenCredentials(token);
+
+    oauth2.authenticate(authInfo)
+      .onFailure(err -> {
+        test.complete();
+      })
+      .onSuccess(res -> {
+        should.fail("Audience is incorrect");
+      });
+  }
+
+  @Test
+  public void testNoAudienceCheck(TestContext should) {
+    final Async test = should.async();
+
+    JsonObject jwk = new JsonObject()
+      .put("kty", "RSA")
+      .put("n", "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw")
+      .put("e", "AQAB")
+      .put("d", "X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqijwp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d_cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBznbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFzme1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q")
+      .put("p", "83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPVnwD20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuVIYQyqVWlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs")
+      .put("q", "3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyumqjVZQO1dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgxkIdrecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk")
+      .put("dp", "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0")
+      .put("dq", "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk")
+      .put("qi", "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU")
+      .put("alg", "RS256")
+      .put("kid", "2011-04-29");
+
+    OAuth2Options options = new OAuth2Options()
+      .setClientId("client-id")
+      .setClientSecret("client-secret")
+      .addJwk(jwk)
+      .setJWTOptions(
+        new JWTOptions()
+          .setAudience(new ArrayList<>()));
+
+    JWTAuth jwt = JWTAuth.create(rule.vertx(), new JWTAuthOptions().addJwk(jwk));
+    OAuth2Auth oauth2 = OAuth2Auth.create(rule.vertx(), options);
+
+    JsonObject payload = new JsonObject()
+      .put("sub", "Paulo");
+
+    final String token = jwt.generateToken(payload,
+      new JWTOptions().setAlgorithm("RS256").addAudience("a").addAudience("b").addAudience("c"));
+
+    should.assertNotNull(token);
+
+    TokenCredentials authInfo = new TokenCredentials(token);
+
+    oauth2.authenticate(authInfo)
+      .onFailure(should::fail)
+      .onSuccess(res -> {
+        should.assertNotNull(res);
+        test.complete();
+      });
+  }
+
+  @Test
+  public void testTokenWithoutAudience(TestContext should) {
+    final Async test = should.async();
+
+    JsonObject jwk = new JsonObject()
+      .put("kty", "RSA")
+      .put("n", "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw")
+      .put("e", "AQAB")
+      .put("d", "X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqijwp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d_cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBznbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFzme1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q")
+      .put("p", "83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPVnwD20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuVIYQyqVWlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs")
+      .put("q", "3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyumqjVZQO1dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgxkIdrecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk")
+      .put("dp", "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0")
+      .put("dq", "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk")
+      .put("qi", "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU")
+      .put("alg", "RS256")
+      .put("kid", "2011-04-29");
+
+    OAuth2Options options = new OAuth2Options()
+      .setClientId("client-id")
+      .setClientSecret("client-secret")
+      .addJwk(jwk)
+      .setJWTOptions(
+        new JWTOptions()
+          .addAudience("a"));
+
+    JWTAuth jwt = JWTAuth.create(rule.vertx(), new JWTAuthOptions().addJwk(jwk));
+    OAuth2Auth oauth2 = OAuth2Auth.create(rule.vertx(), options);
+
+    JsonObject payload = new JsonObject()
+      .put("sub", "Paulo");
+
+    final String token = jwt.generateToken(payload,
+      new JWTOptions().setAlgorithm("RS256"));
+
+    should.assertNotNull(token);
+
+    TokenCredentials authInfo = new TokenCredentials(token);
+
+    oauth2.authenticate(authInfo)
+      .onFailure(should::fail)
+      .onSuccess(res -> {
+        should.assertNotNull(res);
+        test.complete();
+      });
+  }
+
+  @Test
+  public void testTokenWithoutAudienceDefaultCheck(TestContext should) {
+    final Async test = should.async();
+
+    JsonObject jwk = new JsonObject()
+      .put("kty", "RSA")
+      .put("n", "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw")
+      .put("e", "AQAB")
+      .put("d", "X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqijwp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d_cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBznbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFzme1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q")
+      .put("p", "83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPVnwD20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuVIYQyqVWlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs")
+      .put("q", "3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyumqjVZQO1dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgxkIdrecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk")
+      .put("dp", "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0")
+      .put("dq", "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk")
+      .put("qi", "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU")
+      .put("alg", "RS256")
+      .put("kid", "2011-04-29");
+
+    OAuth2Options options = new OAuth2Options()
+      .setClientId("client-id")
+      .setClientSecret("client-secret")
+      .addJwk(jwk)
+      .setJWTOptions(
+        new JWTOptions()
+          .setAudience(null));
+
+    JWTAuth jwt = JWTAuth.create(rule.vertx(), new JWTAuthOptions().addJwk(jwk));
+    OAuth2Auth oauth2 = OAuth2Auth.create(rule.vertx(), options);
+
+    JsonObject payload = new JsonObject()
+      .put("sub", "Paulo");
+
+    final String token = jwt.generateToken(payload,
+      new JWTOptions().setAlgorithm("RS256"));
+
+    should.assertNotNull(token);
+
+    TokenCredentials authInfo = new TokenCredentials(token);
+
+    oauth2.authenticate(authInfo)
+      .onFailure(should::fail)
+      .onSuccess(res -> {
+        should.assertNotNull(res);
+        test.complete();
+      });
+  }
+
+  @Test
+  public void testTokenWithoutAudienceNoCheck(TestContext should) {
+    final Async test = should.async();
+
+    JsonObject jwk = new JsonObject()
+      .put("kty", "RSA")
+      .put("n", "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw")
+      .put("e", "AQAB")
+      .put("d", "X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqijwp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d_cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBznbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFzme1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q")
+      .put("p", "83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPVnwD20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuVIYQyqVWlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs")
+      .put("q", "3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyumqjVZQO1dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgxkIdrecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk")
+      .put("dp", "G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0")
+      .put("dq", "s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk")
+      .put("qi", "GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU")
+      .put("alg", "RS256")
+      .put("kid", "2011-04-29");
+
+    OAuth2Options options = new OAuth2Options()
+      .setClientId("client-id")
+      .setClientSecret("client-secret")
+      .addJwk(jwk)
+      .setJWTOptions(
+        new JWTOptions()
+          .setAudience(new ArrayList<>()));
+
+    JWTAuth jwt = JWTAuth.create(rule.vertx(), new JWTAuthOptions().addJwk(jwk));
+    OAuth2Auth oauth2 = OAuth2Auth.create(rule.vertx(), options);
+
+    JsonObject payload = new JsonObject()
+      .put("sub", "Paulo");
+
+    final String token = jwt.generateToken(payload,
+      new JWTOptions().setAlgorithm("RS256"));
+
+    should.assertNotNull(token);
+
+    TokenCredentials authInfo = new TokenCredentials(token);
+
+    oauth2.authenticate(authInfo)
+      .onFailure(should::fail)
+      .onSuccess(res -> {
+        should.assertNotNull(res);
+        test.complete();
+      });
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -644,7 +644,7 @@ private JsonObject validToken(JsonObject token, boolean idToken) throws IllegalS`
`644`	`644`	`}`
`645`	`645`	`}`
`646`	`646`
`647`		`- if (target != null && target.size() > 0) {`
	`647`	`+ if (target != null && !target.isEmpty()) {`
`648`	`648`	`if (idToken \|\| jwtOptions.getAudience() == null) {`
`649`	`649`	`// https://openid.net/specs/openid-connect-core-1_0.html# $3.1.3.7.`
`650`	`650`	`// The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer`
`@@ -654,7 +654,7 @@ private JsonObject validToken(JsonObject token, boolean idToken) throws IllegalS`
`654`	`654`	`if (!target.contains(config.getClientId())) {`
`655`	`655`	`throw new IllegalStateException("Invalid JWT audience. expected: " + config.getClientId());`
`656`	`656`	`}`
`657`		`- } else {`
	`657`	`+ } else if (!jwtOptions.getAudience().isEmpty()) {`
`658`	`658`	`if (Collections.disjoint(jwtOptions.getAudience(), target.getList())) {`
`659`	`659`	`throw new IllegalStateException("Invalid JWT audience. expected: " + Json.encode(jwtOptions.getAudience()));`
`660`	`660`	`}`