MappedJwtClaimSetConverter#withDefaults doesn't remove claims from JWT as documented #10135
Description
Describe the bug
As stated in Spring Security Documentation, to remove a claim from a JWT just pass a converter for the claim in MappedJwtClaimSetConverter.withDefaults() that return null.
Actually this setting doesn't remove the claim from JWT.
I think the problem is in class org.springframework.security.oauth2.core.converter.ClaimTypeConverter, method convert.
public Map<String, Object> convert(Map<String, Object> claims) {
if (CollectionUtils.isEmpty(claims)) {
return claims;
}
Map<String, Object> result = new HashMap<>(claims);
this.claimTypeConverters.forEach((claimName, typeConverter) -> {
if (claims.containsKey(claimName)) {
Object claim = claims.get(claimName);
Object mappedClaim = typeConverter.convert(claim);
if (mappedClaim != null) {
result.put(claimName, mappedClaim);
}
}
});
return result;
}I think that the result map should contain all the mapped claims even if its value is null because null value claims are removed later.
To Reproduce
Steps to reproduce:
I want to remove the NBF claim from jwt.
To do that I set in my jwtdecoder a converter that return null for this claim:
var jwtDecoder = NimbusJwtDecoder.withJwkSetUri(jwkSetUri).build();
var converter = MappedJwtClaimSetConverter.withDefaults(Collections.singletonMap(JwtClaimNames.NBF, nbfClaimValue -> null));
jwtDecoder.setClaimSetConverter(converter);Expected behavior
The decoded JWT doen't contains the NBF claim.