lhotari opened a new pull request, #25672: URL: https://github.com/apache/pulsar/pull/25672
### Motivation Pulsar's OIDC authentication provider (`pulsar-broker-auth-oidc`) depends on the Auth0 JWT libraries. The currently used versions (`com.auth0:java-jwt` 4.3.0 and `com.auth0:jwks-rsa` 0.22.0) are several releases behind. Upgrading brings in maintenance fixes and aligns the transitive Jackson dependency with the Jackson version (2.21.x) used elsewhere in Pulsar (PR #25664), reducing the risk of conflicting Jackson classes on the classpath. Notable upstream changes between current and target versions: `java-jwt` 4.3.0 → 4.5.2: - 4.4.0: preserves insertion order for claims; bumps Jackson to 2.14.2. - 4.5.0: fixes a Jackson security issue, deserializes empty-string audience claim correctly, and validates that an expected-audience array is non-empty (Pulsar already enforces this in `AuthenticationProviderOpenID#validateAllowedAudiences`). - 4.5.1: updates Jackson dependency to align with Pulsar's Jackson 2.21.x. - 4.5.2: bumps `commons-beanutils` dependency. `jwks-rsa` 0.22.0 → 0.23.1: - 0.22.1 / 0.22.2 / 0.23.1: Guava bumps. - 0.23.0: adds an optional cache implementation (Pulsar uses its own Caffeine-based `JwksCache`, so this is unused). No source code changes are required — the public APIs Pulsar uses (`JWT`, `JWTVerifier`, `Verification`, `Algorithm.RSA*/ECDSA*`, `Jwk.fromValues`, exception types) are unchanged. ### Modifications - Bump `auth0-java-jwt` from 4.3.0 to 4.5.2 in `gradle/libs.versions.toml`. - Bump `auth0-jwks-rsa` from 0.22.0 to 0.23.1 in `gradle/libs.versions.toml`. - Update the corresponding entries in `distribution/server/src/assemble/LICENSE.bin.txt`. ### Verifying this change - [x] Make sure that the change passes the CI checks. This change is a trivial rework / code cleanup without any test coverage. Verified locally: - `./gradlew assemble` — BUILD SUCCESSFUL. - `./src/check-binary-license.sh distribution/server/build/distributions/apache-pulsar-*-bin.tar.gz` — passes. - `./src/check-binary-license.sh distribution/shell/build/distributions/apache-pulsar-shell-*-bin.tar.gz` — passes. - `./gradlew spotlessCheck checkstyleMain checkstyleTest` — BUILD SUCCESSFUL. ### Does this pull request potentially affect one of the following parts: - [x] Dependencies (add or upgrade a dependency) Upgrades transitive Auth0 JWT libraries used only by the OIDC authentication provider; no behavior change is expected. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
