JwtProvider expected audience is no longer mandatory (#10778)

JwtProvider expected audience is no longer mandatory

Signed-off-by: David Kral <[email protected]>

Author: Verdent

security/providers/jwt/src/main/java/io/helidon/security/providers/jwt/JwtProvider.java

@@ -168,12 +168,14 @@ private AuthenticationResponse authenticateToken(String token) {
             if (errors.isValid()) {
                 Jwt jwt = signedJwt.getJwt();
                 // perform all validations, including expected audience verification
-                JwtValidator jwtValidator = JwtValidator.builder()
+                JwtValidator.Builder jwtValidatorBuilder = JwtValidator.builder()
                         .addDefaultTimeValidators()
                         .addCriticalValidator()
-                        .addUserPrincipalValidator()
-                        .addAudienceValidator(expectedAudience)
-                        .build();
+                        .addUserPrincipalValidator();
+                if (expectedAudience != null) {
+                    jwtValidatorBuilder.addAudienceValidator(expectedAudience);
+                }
+                JwtValidator jwtValidator =  jwtValidatorBuilder.build();
                 Errors validate = jwtValidator.validate(jwt);
                 if (validate.isValid()) {
                     return AuthenticationResponse.success(buildSubject(jwt, signedJwt));