shasank112001 opened a new issue, #25071: URL: https://github.com/apache/pulsar/issues/25071
### Search before reporting - [x] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar. ### Motivation Currently if you utilize Pulsar Proxies, then to properly support JWT authentication and client disconnects after token expiry, one must enable authenticateOriginalAuthData on brokers. If disabled, then connected clients with expired tokens can still produce/consume on topics as discussed in this issue #25062. However, authenticateOriginalAuthData is not supported by Authentication methods like AuthenticationProviderTLS as the proxy performs a reencrypt of the TLS connection and therefore, authenticating the original principal always leads to the proxy identity which is not useful when authorizing. ### Solution 1. AuthenticateOriginalAuthData can be made as a property of the AuthenticationProvider itself. With JWTs the original auth data must be authenticated, as otherwise connections will be kept open after token expiry. Therefore, it makes sense to include the property on the provider itself. 3. Terminate connections on Proxy if a token expires: I am not familiar with all the intricacies of how the proxy closes connections, but I do know that the Proxy does send a Disconnect to the client when it asserts the token to have expired. Therefore, if we can add a hook to the disconnect command, to close all proxied connections, we can get rid of authenticateOriginalAuthData completely. ### Alternatives _No response_ ### Anything else? I am willing to work on this, however if solution 2 is possible, I would like a bit of help understanding the logic behind the proxy connections. ### Are you willing to submit a PR? - [ ] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
