StandardClaimAccessor.getEmailVerified returns null if the claim email_verified does not exist

[gotson]

Expected Behavior

The documentation of the method states:

Returns true if the user's e-mail address has been verified (email_verified), otherwise false.

Current Behavior

If the claim email_verified doesn't exist, returns null.

Context

A user of my application reported a NPE when trying to use OIDC with Azure AD.

IMHO, either the documentation should be enhanced to clarify that getEmailVerified can return null if the claim is not present, or the code should handle this in a try/catch block to return false if the claim does not exist.

[marcusdacoregio]

Hi @gotson, thanks for the report.

Are you interested in submitting a PR that fixes it? The PR would contain a test to reproduce the error and that is fixed after your solution.

[gotson]

Hi @gotson, thanks for the report.

Are you interested in submitting a PR that fixes it? The PR would contain a test to reproduce the error and that is fixed after your solution.

Hi, which solution do you think should be implemented, fixing the doc, or fixing the behavior? I can send a PR.

[gotson]

I thought about this a bit more, and folding the absence of claim as false is probably not a good choice, as we may want to differentiate between whether the claim is present (and true or false), or whether it's missing. In which case the Boolean would be null.

Does Spring Security uses Optional or @Nullable to provide hints on nullability?

[marcusdacoregio]

Returning false if the claim does not exist might be misleading indeed, and, returning null also align with the behavior of the various other methods in the class. Spring Security does not use optional because #9641, and @Nullable is being discussed here.

I think @Nullable could be a good idea, therefore I'll close this to keep the discussion in #8389.