Skip to content

Commit d630394

Browse files
lhotarilhotari
authored
[fix][misc] Allow JWT tokens in OpenID auth without nbf claim (#25197)
1 parent d0efdd7 commit d630394

2 files changed

Lines changed: 15 additions & 1 deletion

File tree

pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -445,7 +445,6 @@ DecodedJWT verifyJWT(PublicKey publicKey,
445445
.withAnyOfAudience(allowedAudiences)
446446
.withClaimPresence(RegisteredClaims.ISSUED_AT)
447447
.withClaimPresence(RegisteredClaims.EXPIRES_AT)
448-
.withClaimPresence(RegisteredClaims.NOT_BEFORE)
449448
.withClaimPresence(RegisteredClaims.SUBJECT);
450449

451450
if (isRoleClaimNotSubject) {

pulsar-broker-auth-oidc/src/test/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenIDTest.java

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
*/
1919
package org.apache.pulsar.broker.authentication.oidc;
2020

21+
import static org.assertj.core.api.Assertions.assertThat;
2122
import static org.assertj.core.api.Assertions.assertThatThrownBy;
2223
import static org.testng.Assert.assertNull;
2324
import com.auth0.jwt.JWT;
@@ -196,6 +197,20 @@ public void ensureFutureNBFFails() throws Exception {
196197
() -> basicProvider.verifyJWT(keyPair.getPublic(), SignatureAlgorithm.RS256.getValue(), jwt));
197198
}
198199

200+
@Test
201+
public void ensureWithoutNBFSucceeds() throws Exception {
202+
KeyPair keyPair = Keys.keyPairFor(SignatureAlgorithm.RS256);
203+
DefaultJwtBuilder defaultJwtBuilder = new DefaultJwtBuilder();
204+
addValidMandatoryClaims(defaultJwtBuilder, basicProviderAudience);
205+
// remove "nbf" claim
206+
defaultJwtBuilder.setNotBefore(null);
207+
defaultJwtBuilder.signWith(keyPair.getPrivate());
208+
DecodedJWT jwt = JWT.decode(defaultJwtBuilder.compact());
209+
assertThat(jwt.getNotBefore()).isNull();
210+
assertThat(jwt.getClaims().get("nbf")).isNull();
211+
basicProvider.verifyJWT(keyPair.getPublic(), SignatureAlgorithm.RS256.getValue(), jwt);
212+
}
213+
199214
@Test
200215
public void ensureFutureIATFails() throws Exception {
201216
KeyPair keyPair = Keys.keyPairFor(SignatureAlgorithm.RS256);

0 commit comments

Comments
 (0)