Preserve insertion order for claims (#656)

snago · jimmyjames · web-flow · commit e85a00a00543 · 2023-03-27T14:57:04.000-05:00
Co-authored-by: Jim Anderson &lt;jim.anderson@auth0.com&gt;
diff --git a/lib/src/main/java/com/auth0/jwt/JWTCreator.java b/lib/src/main/java/com/auth0/jwt/JWTCreator.java
@@ -71,8 +71,8 @@ public static class Builder {
         private final Map<String, Object> headerClaims;
 
         Builder() {
-            this.payloadClaims = new HashMap<>();
-            this.headerClaims = new HashMap<>();
+            this.payloadClaims = new LinkedHashMap<>();
+            this.headerClaims = new LinkedHashMap<>();
         }
 
         /**
@@ -112,7 +112,7 @@ public Builder withHeader(String headerClaimsJson) throws IllegalArgumentExcepti
             }
 
             try {
-                Map<String, Object> headerClaims = mapper.readValue(headerClaimsJson, HashMap.class);
+                Map<String, Object> headerClaims = mapper.readValue(headerClaimsJson, LinkedHashMap.class);
                 return withHeader(headerClaims);
             } catch (JsonProcessingException e) {
                 throw new IllegalArgumentException("Invalid header JSON", e);
@@ -508,7 +508,7 @@ public Builder withPayload(String payloadClaimsJson) throws IllegalArgumentExcep
             }
 
             try {
-                Map<String, Object> payloadClaims =  mapper.readValue(payloadClaimsJson, HashMap.class);
+                Map<String, Object> payloadClaims =  mapper.readValue(payloadClaimsJson, LinkedHashMap.class);
                 return withPayload(payloadClaims);
             } catch (JsonProcessingException e) {
                 throw new IllegalArgumentException("Invalid payload JSON", e);
diff --git a/lib/src/test/java/com/auth0/jwt/JWTCreatorTest.java b/lib/src/test/java/com/auth0/jwt/JWTCreatorTest.java
@@ -3,8 +3,8 @@
 import com.auth0.jwt.algorithms.Algorithm;
 import com.auth0.jwt.interfaces.ECDSAKeyProvider;
 import com.auth0.jwt.interfaces.RSAKeyProvider;
-import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ObjectNode;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
@@ -1010,4 +1010,51 @@ public void shouldCreatePayloadWithNullForList() {
         assertThat(jwt, is(notNullValue()));
         assertTrue(JWT.decode(jwt).getClaim("name").isNull());
     }
+
+    @Test
+    public void shouldPreserveInsertionOrder() throws Exception {
+        String taxonomyJson = "{\"class\": \"mammalia\", \"order\": \"carnivora\", \"family\": \"canidae\", \"genus\": \"vulpes\"}";
+        List<String> taxonomyClaims = Arrays.asList("class", "order", "family", "genus");
+        List<String> headerInsertionOrder = new ArrayList<>(taxonomyClaims);
+        Map<String, Object> header = new LinkedHashMap<>();
+        for (int i = 0; i < 10; i++) {
+            String key = "h" + i;
+            header.put(key, "v" + 1);
+            headerInsertionOrder.add(key);
+        }
+
+        List<String> payloadInsertionOrder = new ArrayList<>(taxonomyClaims);
+        JWTCreator.Builder builder = JWTCreator.init()
+                .withHeader(taxonomyJson)
+                .withHeader(header)
+                .withPayload(taxonomyJson);
+        for (int i = 0; i < 10; i++) {
+            String name = "c" + i;
+            builder = builder.withClaim(name, "v" + i);
+            payloadInsertionOrder.add(name);
+        }
+        String signed = builder.sign(Algorithm.HMAC256("secret"));
+
+        assertThat(signed, is(notNullValue()));
+        String[] parts = signed.split("\\.");
+        Base64.Decoder urlDecoder = Base64.getUrlDecoder();
+        String headerJson = new String(urlDecoder.decode(parts[0]), StandardCharsets.UTF_8);
+        String payloadJson = new String(urlDecoder.decode(parts[1]), StandardCharsets.UTF_8);
+
+        ObjectMapper objectMapper = new ObjectMapper();
+
+        List<String> headerFields = new ArrayList<>();
+        objectMapper.readValue(headerJson, ObjectNode.class)
+                .fieldNames().forEachRemaining(headerFields::add);
+        headerFields.retainAll(headerInsertionOrder);
+        assertThat("Header insertion order should be preserved",
+                headerFields, is(equalTo(headerInsertionOrder)));
+
+        List<String> payloadFields = new ArrayList<>();
+        objectMapper.readValue(payloadJson, ObjectNode.class)
+                .fieldNames().forEachRemaining(payloadFields::add);
+        payloadFields.retainAll(payloadInsertionOrder);
+        assertThat("Claim insertion order should be preserved",
+                payloadFields, is(equalTo(payloadInsertionOrder)));
+    }
 }
