(pulsar) branch branch-4.0 updated: [fix][misc] Allow JWT tokens in OpenID auth without nbf claim (#25197)

[lhotari]

This is an automated email from the ASF dual-hosted git repository.

lhotari pushed a commit to branch branch-4.0
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/branch-4.0 by this push:
     new 2760ee96caa [fix][misc] Allow JWT tokens in OpenID auth without nbf 
claim (#25197)
2760ee96caa is described below

commit 2760ee96caa7a02d7155d864b1b16ea773f520be
Author: Lari Hotari <lhot...@users.noreply.github.com>
AuthorDate: Fri Jan 30 08:40:14 2026 +0200

    [fix][misc] Allow JWT tokens in OpenID auth without nbf claim (#25197)
    
    (cherry picked from commit d630394cdd02792b2dbc3a55443637a5d593a137)
---
 .../authentication/oidc/AuthenticationProviderOpenID.java |  1 -
 .../oidc/AuthenticationProviderOpenIDTest.java            | 15 +++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git 
a/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java
 
b/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java
index 7f6f70c0615..cb7877543bf 100644
--- 
a/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java
+++ 
b/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java
@@ -445,7 +445,6 @@ public class AuthenticationProviderOpenID implements 
AuthenticationProvider {
                 .withAnyOfAudience(allowedAudiences)
                 .withClaimPresence(RegisteredClaims.ISSUED_AT)
                 .withClaimPresence(RegisteredClaims.EXPIRES_AT)
-                .withClaimPresence(RegisteredClaims.NOT_BEFORE)
                 .withClaimPresence(RegisteredClaims.SUBJECT);
 
         if (isRoleClaimNotSubject) {
diff --git 
a/pulsar-broker-auth-oidc/src/test/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenIDTest.java
 
b/pulsar-broker-auth-oidc/src/test/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenIDTest.java
index 377588c4a5a..27b3908eaa7 100644
--- 
a/pulsar-broker-auth-oidc/src/test/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenIDTest.java
+++ 
b/pulsar-broker-auth-oidc/src/test/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenIDTest.java
@@ -18,6 +18,7 @@
  */
 package org.apache.pulsar.broker.authentication.oidc;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
 import static org.testng.Assert.assertNull;
 import com.auth0.jwt.JWT;
@@ -196,6 +197,20 @@ public class AuthenticationProviderOpenIDTest {
                 () -> basicProvider.verifyJWT(keyPair.getPublic(), 
SignatureAlgorithm.RS256.getValue(), jwt));
     }
 
+    @Test
+    public void ensureWithoutNBFSucceeds() throws Exception {
+        KeyPair keyPair = Keys.keyPairFor(SignatureAlgorithm.RS256);
+        DefaultJwtBuilder defaultJwtBuilder = new DefaultJwtBuilder();
+        addValidMandatoryClaims(defaultJwtBuilder, basicProviderAudience);
+        // remove "nbf" claim
+        defaultJwtBuilder.setNotBefore(null);
+        defaultJwtBuilder.signWith(keyPair.getPrivate());
+        DecodedJWT jwt = JWT.decode(defaultJwtBuilder.compact());
+        assertThat(jwt.getNotBefore()).isNull();
+        assertThat(jwt.getClaims().get("nbf")).isNull();
+        basicProvider.verifyJWT(keyPair.getPublic(), 
SignatureAlgorithm.RS256.getValue(), jwt);
+    }
+
     @Test
     public void ensureFutureIATFails() throws Exception {
         KeyPair keyPair = Keys.keyPairFor(SignatureAlgorithm.RS256);