MicronautLambdaAuthenticationFetcher creates empty map instead of null if claims are absent

[bhimsenp]

In current implementation of MicronautLambdaAuthenticationFetcher, different types of Authentication objects are returned depending on existence of authorizer in API gateway.

At two places when claims are absent, instead of creating Authentication object with null claims, it creates empty map.

When authorizer is present:

 protected Map<String, Object> attributesOfClaims(CognitoAuthorizerClaims claims) {
        if (claims == null) {
            return Collections.emptyMap();
        }
....}

When authorizer is absent:

return Flowable.just(
        new DefaultAuthentication(
                v,
                Collections.emptyMap()
        )
);

Problem caused because of empty map: In Micronaut Security, there is following code in AbstractSecurityRule

protected List<String> getRoles(Map<String, Object> claims) {
        List<String> roles = new ArrayList<>();
        if (claims == null) {
            roles.add(SecurityRule.IS_ANONYMOUS);
        } else {
            if (!claims.isEmpty()) {
                roles.addAll(rolesFinder.findInClaims(new MapClaims(claims)));
            }
            roles.add(SecurityRule.IS_ANONYMOUS);
            roles.add(SecurityRule.IS_AUTHENTICATED);
        }
        return roles;
    }

If claims are null and not empty, it actually adds IS_ANONYMOUS & IS_ANONYMOUS roles which causes AbstractSecurityRule to allow even when it should not in certain cases.

Proposed solution: Replace empty map with null

[ashwini-desai]

@sdelamo - Is there any update on this? There is another issue on similar lines.

[sdelamo]

I am going to work on AWS once 3.4.0 release is out. I hope to update soon.