Expected Behavior
The documentation of the method states:
Returns true if the user's e-mail address has been verified (email_verified), otherwise false.
Current Behavior
If the claim email_verified doesn't exist, returns null.
Context
A user of my application reported a NPE when trying to use OIDC with Azure AD.
IMHO, either the documentation should be enhanced to clarify that getEmailVerified can return null if the claim is not present, or the code should handle this in a try/catch block to return false if the claim does not exist.
Comment From: marcusdacoregio
Hi @gotson, thanks for the report.
Are you interested in submitting a PR that fixes it? The PR would contain a test to reproduce the error and that is fixed after your solution.
Comment From: gotson
Hi @gotson, thanks for the report.
Are you interested in submitting a PR that fixes it? The PR would contain a test to reproduce the error and that is fixed after your solution.
Hi, which solution do you think should be implemented, fixing the doc, or fixing the behavior? I can send a PR.
Comment From: gotson
I thought about this a bit more, and folding the absence of claim as false is probably not a good choice, as we may want to differentiate between whether the claim is present (and true or false), or whether it's missing. In which case the Boolean would be null.
Does Spring Security uses Optional or @Nullable to provide hints on nullability?
Comment From: marcusdacoregio
Returning false if the claim does not exist might be misleading indeed, and, returning null also align with the behavior of the various other methods in the class. Spring Security does not use optional because #9641, and @Nullable is being discussed here.
I think @Nullable could be a good idea, therefore I'll close this to keep the discussion in #8389.