PublicClaims.AUDIENCE (aud) expected to be String or "Array of Strings", not Collection(aka List) by PayloadSerializer

[yeDor]

Describe the problem

By default jackson deserializes to ArrayList. Can not find an easy way to change this behavior.
so, having payload = {exp=1630398915, aud=["firma_x","firma_y"]} following code

    Map payloadMap = new ObjectMapper().readValue(payload, Map.class);
    String result = JWT.create()
                       .withPayload(payloadMap)
                       .sign(Algorithm.HMAC256("secret"));

will cause an exception:

Caused by: java.lang.ClassCastException: class java.util.ArrayList cannot be cast to class [Ljava.lang.String; (java.util.ArrayList and [Ljava.lang.String; are in module java.base of loader 'bootstrap')
	at com.auth0.jwt.impl.PayloadSerializer.serialize(PayloadSerializer.java:40)
	at com.auth0.jwt.impl.PayloadSerializer.serialize(PayloadSerializer.java:18)
	at com.fasterxml.jackson.databind.ser.DefaultSerializerProvider._serialize(DefaultSerializerProvider.java:480)

Not sure, why special handling for PublicClaims.AUDIENCE is needed in first place, but it could be much more convenient to support collections as well.

Note: no errors in other places(Claims) where collections are used.

What was the expected behavior?

Collections can be handelt as well.

Environment

• Version of this library used: 3.18.1
• Version of Java used: jdk-14.0.2
• Other modules/plugins/libraries that might be involved: com.fasterxml.jackson.core:jackson-databind:2.12.4

[yeDor]

Update:
Found jackson feature USE_JAVA_ARRAY_FOR_JSON_ARRAY

Unfortunately it is even worse, as in this case another exception is produced and not for this single PublicClaims.AUDIENCE Claim, but everywhere, where collection(array) is used:

  Map payloadMap = new ObjectMapper()
      .configure(DeserializationFeature.USE_JAVA_ARRAY_FOR_JSON_ARRAY, true)
      .readValue(payload, Map.class);
  String result = JWT.create()
                       .withPayload(payloadMap)
                       .sign(Algorithm.HMAC256("secret"));

Exception:

java.lang.IllegalArgumentException: Claim values must only be of types Map, List, Boolean, Integer, Long, Double, String and Date

	at com.auth0.jwt.JWTCreator$Builder.withPayload(JWTCreator.java:383)

[jimmyjames]

Thanks for the good details and steps to reproduce @yeDor! We have special handling in place for the aud claim as if it's a single value, we write that string; if it's multiple values (we use String[] internally) we write it as an array. The withPayload method exposes the issue you've discovered, but I think we should be able to handle both Lists and String arrays without issue when serializing the aud claim. I've added it to our backlog; hopefully if it's a straightforward change I can get a PR out this week.