Fix JWT attribute parsing of lists in AbstractHTTPJwtAuthenticator

[vpratz]

Description

Category: Bug fix

The fix is very similar to #4884, as it is the same issue as #4267, except that jwks_uri is used instead of signing_key.
#4267 was fixed by adapting HTTPJwtAuthenticator, but AbstractHTTPJwtAuthenticator and its sub-classes, most importantly HTTPJwtKeyByJWKSAuthenticator, have not received this fix.

This leads to strange behavior that everything works as expected when using signing_key, which relies on HTTPJwtAuthenticator, but fails when switching to jwks_uri, which uses HTTPJwtKeyByJWKSAuthenticator.

This PR aligns the two implementations and enables correct serialization of lists from the JWT.

I think the tests show already quite well what is going on, if I should provide additional examples, please let me know.

Issues Resolved

#4267 (was resolved by #4884 when signing_key is used, but still fails with jwks_uri). Please let me know if I should open an additional Issue to track this bug.

Testing

I have adapted the existing tests, where attr.jwt.aud is a list.

Check List

• New functionality includes testing
• New functionality has been documented
• Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[vpratz]

Sorry for the force-push, I forgot to use signoff.
This test failure looks like a flaky CI to me. Is this correct or is there something that needs fixing from my side? https://github.com/opensearch-project/security/actions/runs/23846544293/job/69544904272

[cwperks]

Sorry for the force-push, I forgot to use signoff. This test failure looks like a flaky CI to me. Is this correct or is there something that needs fixing from my side? https://github.com/opensearch-project/security/actions/runs/23846544293/job/69544904272

yes this is flaky. I will re-run them if they fail.

[cwperks]

TY for the fix!

[codecov]

Codecov Report

❌ Patch coverage is 84.21053% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.08%. Comparing base (db9efb6) to head (70d1b03).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...ty/auth/http/jwt/AbstractHTTPJwtAuthenticator.java	84.21%	3 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6058      +/-   ##
==========================================
+ Coverage   73.98%   74.08%   +0.09%     
==========================================
  Files         441      441              
  Lines       27413    27479      +66     
  Branches     4110     4119       +9     
==========================================
+ Hits        20281    20357      +76     
+ Misses       5193     5184       -9     
+ Partials     1939     1938       -1     

Files with missing lines	Coverage Δ
...ty/auth/http/jwt/AbstractHTTPJwtAuthenticator.java	68.03% <84.21%> (+2.64%)	⬆️

... and 7 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[vpratz]

Thanks a lot for the quick review and your work on this project in general!