From 375fa35d553f5ea9eab4b5f481be996fcf1faf8e Mon Sep 17 00:00:00 2001
From: David Kral <david.k.kral@oracle.com>
Date: Mon, 20 Oct 2025 15:32:31 +0200
Subject: [PATCH 1/2] expected audience is no longer mandatory

Signed-off-by: David Kral <david.k.kral@oracle.com>
---
 .../helidon/security/providers/jwt/JwtProvider.java   | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/security/providers/jwt/src/main/java/io/helidon/security/providers/jwt/JwtProvider.java b/security/providers/jwt/src/main/java/io/helidon/security/providers/jwt/JwtProvider.java
index fe97b5d2d23..1df46dafad7 100644
--- a/security/providers/jwt/src/main/java/io/helidon/security/providers/jwt/JwtProvider.java
+++ b/security/providers/jwt/src/main/java/io/helidon/security/providers/jwt/JwtProvider.java
@@ -24,6 +24,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
+import java.util.Set;
 
 import io.helidon.common.Errors;
 import io.helidon.common.config.Config;
@@ -168,12 +169,14 @@ private AuthenticationResponse authenticateToken(String token) {
             if (errors.isValid()) {
                 Jwt jwt = signedJwt.getJwt();
                 // perform all validations, including expected audience verification
-                JwtValidator jwtValidator = JwtValidator.builder()
+                JwtValidator.Builder jwtValidatorBuilder = JwtValidator.builder()
                         .addDefaultTimeValidators()
                         .addCriticalValidator()
-                        .addUserPrincipalValidator()
-                        .addAudienceValidator(expectedAudience)
-                        .build();
+                        .addUserPrincipalValidator();
+                if (expectedAudience != null) {
+                    jwtValidatorBuilder.addAudienceValidator(expectedAudience);
+                }
+                JwtValidator jwtValidator =  jwtValidatorBuilder.build();
                 Errors validate = jwtValidator.validate(jwt);
                 if (validate.isValid()) {
                     return AuthenticationResponse.success(buildSubject(jwt, signedJwt));

From 467dae929e6933ae2ac7502e686a2521d8d61e4f Mon Sep 17 00:00:00 2001
From: David Kral <david.k.kral@oracle.com>
Date: Mon, 3 Nov 2025 14:17:22 +0100
Subject: [PATCH 2/2] checkstyle

Signed-off-by: David Kral <david.k.kral@oracle.com>
---
 .../main/java/io/helidon/security/providers/jwt/JwtProvider.java | 1 -
 1 file changed, 1 deletion(-)

diff --git a/security/providers/jwt/src/main/java/io/helidon/security/providers/jwt/JwtProvider.java b/security/providers/jwt/src/main/java/io/helidon/security/providers/jwt/JwtProvider.java
index 1df46dafad7..de1d6281e91 100644
--- a/security/providers/jwt/src/main/java/io/helidon/security/providers/jwt/JwtProvider.java
+++ b/security/providers/jwt/src/main/java/io/helidon/security/providers/jwt/JwtProvider.java
@@ -24,7 +24,6 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
-import java.util.Set;
 
 import io.helidon.common.Errors;
 import io.helidon.common.config.Config;