nodece commented on issue #25071: URL: https://github.com/apache/pulsar/issues/25071#issuecomment-3770942343
@shasank112001 We're focusing specifically on the case where **both** `forwardAuthorizationCredentials` and `authenticateOriginalAuthData` are set to `true`. The issue is: **if either of these is disabled, the broker won't properly handle token expiration**, meaning expired client connections won't be closed as expected. Here's why this happens: The current proxy implementation ([ProxyConnection.java#L522-L525](https://github.com/apache/pulsar/blob/1050f48035c97a14094b812467f046f6d37ff6f4/pulsar-proxy/src/main/java/org/apache/pulsar/proxy/server/ProxyConnection.java#L522-L525)) assumes the broker will always validate token expiration. However: - **When `authenticateOriginalAuthData=false`:** The broker only validates the proxy's credentials, not the original client's token - **Result:** Expired client tokens slip through undetected, and stale connections persist A workaround: So both settings must be enabled together for proper token expiration handling through the broker and proxy. I will open a PR to fix this issue. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
