JOSE Validators claim mandatoriness option

[FerencKemeny]

Expected Behavior

I would like to build a control in JwtTimestampValidator, JwtIssuerValidator and JwtAudienceValidator that mandatoriness of the specific JWT clause is specified. So that a required parameter can specify the same way like it is done in JwtIssuedAtValidator.

Current Behavior

The above mentioned validators are simply falling through with successful check when the given clause is missing form JWT. This may be a misleading behavior because validator is created for a reason. However it is understandable the claims are optional by the specification - in general.

Context

I would like to create the alternative that the implementor could control if the fields must be mandatory. Currently this could be achieved by adding multiple validators. It is more elegant to specify if the given validator requires the claim and make the validation fail if the claim is missing. So this way more strict and rigorous control could be built.

[jzheaux]

Thanks for the suggestion, @FerencKemeny. I've added this to our Spring Security 7 roadmap.

[jzheaux]

Note that JwtTypValidator has a method setAllowEmpty that may be of interest. This could be added to other validators. For backward compatibility in other vaildators, allowEmpty would be true by default.

[FerencKemeny]

This could be added to other validators.

So do you mean you would like to see setAllowEmpty method implemented the same way as it is in JwtTypeValidator, instead of contructor parameters? It is true, number of JwtTimestampValidator constructors increased a bit this way. setAllowEmpty method may make it simpler.

I think this is more like code cleanness but backward compatibility. I did not change the original contructor signatures and their function.

Let me change as you suggested.

[FerencKemeny]

@jzheaux Refactored with creating setAllowEmpty method.

[jzheaux]

Closing in favor of #17030