Description
Summary
If given a JWT token to decode which has no "exp" field, then the following line throws an exception:
Instant expiresAt = jwtClaimsSet.getExpirationTime().toInstant();The spec; however, lists this as an optional field [1]:
The "exp" (expiration time) claim identifies the expiration time on
or after which the JWT MUST NOT be accepted for processing. The
processing of the "exp" claim requires that the current date/time
MUST be before the expiration date/time listed in the "exp" claim.
Implementers MAY provide for some small leeway, usually no more than
a few minutes, to account for clock skew. Its value MUST be a number
containing a NumericDate value. Use of this claim is OPTIONAL.
[1] https://tools.ietf.org/html/rfc7519#section-4.1.4 (empshasis mine)
Actual Behavior
Given a JWT with no "exp" field, an NPE is thrown.
Expected Behavior
An NPE should not be thrown.
Note that, AbstractOAuth2Token requires that expiredAt be non-null. Perhaps the code could provide a default value, as it already does with issuedAt for the same reason.
Version
5.1.0.BUILD-SNAPSHOT