qweasd1 commented on issue #25190: URL: https://github.com/apache/pulsar/issues/25190#issuecomment-3820116332
hi @lhotari , we are enterprise customer of auth0, we already have communication with their enterprise support and they tell us they have no support for nbf which match what we have in auth0 community https://community.auth0.com/t/jwt-token-does-not-contain-nbf-claim-again/62350 also auth0 is free to open a test account, I think if you want, you can generate a m2m jwt token and see if nbf is in it. Back to your code link to auth0 java-jwt, if you drill down to the sample code they give [here](https://github.com/auth0/java-jwt?tab=readme-ov-file#verify-a-jwt) <img width="1025" height="375" alt="Image" src="https://github.com/user-attachments/assets/eb524b88-a645-4176-97e8-2498d2898f16"; /> they call the ```build()``` method on the JWTVerifier. while in the code link you have, the ```RegisteredClaims.NOT_BEFORE``` is called inside addMandatoryClaimChecks() https://github.com/auth0/java-jwt/blob/ee7332b023719a9007be0caf5ef7608840fc4946/lib/src/main/java/com/auth0/jwt/JWTVerifier.java#L302C22-L315 <img width="996" height="320" alt="Image" src="https://github.com/user-attachments/assets/f2c99736-d19b-4353-af49-ea585afaf295"; /> and this method is in return called in ```build(Clock clock)``` method https://github.com/auth0/java-jwt/blob/ee7332b023719a9007be0caf5ef7608840fc4946/lib/src/main/java/com/auth0/jwt/JWTVerifier.java#L286-L290 <img width="1054" height="387" alt="Image" src="https://github.com/user-attachments/assets/e8c55e6a-a5eb-45d2-9225-c93e198c27ad"; /> from comment you can see this method is only for test purpose. and I don't believe it's on the path people use it. as a general jwt verification framework like java-jwt... what it provide is method to config a verifier based on claim instead of assume any jwt claim must appear in all jwt... so the right way to config is if someone want to test nbf, go with this method https://github.com/auth0/java-jwt/blob/ee7332b023719a9007be0caf5ef7608840fc4946/lib/src/main/java/com/auth0/jwt/JWTVerifier.java#L144-L148 sorry for the long post, but I think we should not force nbf on pulsar verification and auth0 doesn't provide it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
