getClaimAsBoolean should not be falsy #10148
Labels
in: oauth2
An issue in OAuth2 modules (oauth2-core, oauth2-client, oauth2-resource-server, oauth2-jose)
status: first-timers-only
An issue that can only be worked on by brand new contributors
type: breaks-passivity
A change that breaks passivity with the previous release
type: bug
A general bug
Milestone
Related to #10117 (comment)
ClaimAccessor#getClaimAsBoolean
currently coerces any type into aBoolean
, which is somewhat surprising when it is a map or list.For example, the following snippet will somewhat surprisingly pass:
In reality, the above is a usage error. It would be better for the application to complain so that the developer can adjust their system.
getClaimAsBoolean
should match core Java behavior more closely. It should only coerce booleans andString
s (like"true"
and"FALSE"
) intoBoolean
s.The logic to change is in
ObjectToBooleanConverter
where it does:This should instead do something like the following:
Then,
getClaimAsBoolean
should introduce an assertion, similar to the assertions in the othergetClaimAsXXX
methods:Thereafter, if an application really needs the old behavior, it can register a custom converter like so:
during application startup.
The text was updated successfully, but these errors were encountered: