zzzz465 opened a new issue, #20829: URL: https://github.com/apache/pulsar/issues/20829
### Search before asking - [X] I searched in the [issues](https://github.com/apache/pulsar/issues) and found nothing similar. ### Motivation I'm using apache pulsar 3.0.0 and using OIDC authentication flow. when using ServiceAccount as a OIDC token, the token projected to a Secret isn't same as token that is projected to a pod. ```json { "header": { "alg": "RS256", "kid": "<kid>" }, "payload": { "iss": "kubernetes/serviceaccount", "kubernetes.io/serviceaccount/namespace": "test-pulsar-resources", "kubernetes.io/serviceaccount/secret.name": "pulsar-connection-secret", "kubernetes.io/serviceaccount/service-account.name": "default", "kubernetes.io/serviceaccount/service-account.uid": "3df0c728-6810-4162-b9c7-ab9308cbe60c", "sub": "system:serviceaccount:test-pulsar-resources:default" }, "signature": "<sig>" } ``` the above is a decoded jwt token from the Secret projected service account token. as you see, there's no `aud` claim, and the `iss` claim is different compared to the issuer we get from the k8s api OIDC endpoint. ### Solution to avoid this issue, we need a option to ignore `aud` claim check for specific allowed issuers. ### Alternatives currently I'm using custom auth class to avoid the issue. ### Anything else? related: https://github.com/streamnative/pulsar-resources-operator/issues/125 ### Are you willing to submit a PR? - [X] I'm willing to submit a PR! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
