andy-vertex opened a new issue, #25190: URL: https://github.com/apache/pulsar/issues/25190
### Search before reporting - [x] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar. ### Motivation When using OIDC as the authentication provider, `nbf` is a required claim as seen in code [here](https://github.com/apache/pulsar/blob/master/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java#L448) When using Auth0 as a provider, which doesn't return the `nbf` field, it results in OIDC being unusable: https://community.auth0.com/t/jwt-token-does-not-contain-nbf-claim-again/62350 ### Solution I think the field should be removed or optional. ### Alternatives I don't know. ### Anything else? I am not sure what the required claims are based on but according to the [comments](https://github.com/apache/pulsar/blob/master/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java#L442C57-L442C119) above the required claims, it should mirror https://openid.net/specs/openid-connect-basic-1_0.html#IDToken but in that doc, nbf doesn't show up. I also did find this [Issue ](https://github.com/apache/pulsar/issues/20829)which is similar but instead for allowing `aud` to be optional but it was closed and I couldn't find the relevant changes made. ### Are you willing to submit a PR? - [ ] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
