From 00294ed777c8d5760afebfa225d332a8fbf9cd8b Mon Sep 17 00:00:00 2001
From: Martin Mazanek <mmazanek@redhat.com>
Date: Fri, 2 Feb 2018 11:52:27 +0100
Subject: [PATCH] [ELY-1507] JwtValidator issuer and audience check ignoring
 does not work https://issues.jboss.org/browse/ELY-1507

---
 .../auth/realm/token/validator/JwtValidator.java         | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/main/java/org/wildfly/security/auth/realm/token/validator/JwtValidator.java b/src/main/java/org/wildfly/security/auth/realm/token/validator/JwtValidator.java
index e261c8db063..333217d65d5 100644
--- a/src/main/java/org/wildfly/security/auth/realm/token/validator/JwtValidator.java
+++ b/src/main/java/org/wildfly/security/auth/realm/token/validator/JwtValidator.java
@@ -169,6 +169,8 @@ private boolean verifySignature(String encodedHeader, String encodedClaims, Stri
     }
 
     private boolean hasValidAudience(JsonObject claims) throws RealmUnavailableException {
+        if (this.audiences.isEmpty()) return true;
+
         JsonValue audience = claims.get("aud");
 
         if (audience == null) {
@@ -186,7 +188,7 @@ private boolean hasValidAudience(JsonObject claims) throws RealmUnavailableExcep
 
         boolean valid = audClaimArray.stream()
                 .map(jsonValue -> (JsonString) jsonValue)
-                .anyMatch(audience1 -> audiences.contains(audience1.getString())) || audiences.isEmpty();
+                .anyMatch(audience1 -> audiences.contains(audience1.getString()));
 
         if (!valid) {
             log.debugf("Audience check failed. Provided [%s] but was expected [%s].", audClaimArray.toArray(), this.audiences);
@@ -196,13 +198,16 @@ private boolean hasValidAudience(JsonObject claims) throws RealmUnavailableExcep
     }
 
     private boolean hasValidIssuer(JsonObject claims) throws RealmUnavailableException {
+        if (this.issuers.isEmpty()) return true;
+
         String issuer = claims.getString("iss", null);
 
         if (issuer == null) {
+            log.debug("Token does not contain an issuer claim");
             return false;
         }
 
-        boolean valid = this.issuers.contains(issuer) || this.issuers.isEmpty();
+        boolean valid = this.issuers.contains(issuer);
 
         if (!valid) {
             log.debugf("Issuer check failed. Provided [%s] but was expected [%s].", issuer, this.issuers);