(pulsar) branch branch-3.0 updated: [fix][misc] Allow JWT tokens in OpenID auth without nbf claim (#25197)

[lhotari]

This is an automated email from the ASF dual-hosted git repository.

lhotari pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/branch-3.0 by this push:
     new fe3239f4cf9 [fix][misc] Allow JWT tokens in OpenID auth without nbf 
claim (#25197)
fe3239f4cf9 is described below

commit fe3239f4cf9de602706b631e032499cd120c599b
Author: Lari Hotari <lhot...@users.noreply.github.com>
AuthorDate: Fri Jan 30 08:40:14 2026 +0200

    [fix][misc] Allow JWT tokens in OpenID auth without nbf claim (#25197)
    
    (cherry picked from commit d630394cdd02792b2dbc3a55443637a5d593a137)
---
 .../authentication/oidc/AuthenticationProviderOpenID.java |  1 -
 .../oidc/AuthenticationProviderOpenIDTest.java            | 15 +++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git 
a/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java
 
b/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java
index 08b7e7928e8..a70f9e93117 100644
--- 
a/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java
+++ 
b/pulsar-broker-auth-oidc/src/main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java
@@ -421,7 +421,6 @@ public class AuthenticationProviderOpenID implements 
AuthenticationProvider {
                 .withAnyOfAudience(allowedAudiences)
                 .withClaimPresence(RegisteredClaims.ISSUED_AT)
                 .withClaimPresence(RegisteredClaims.EXPIRES_AT)
-                .withClaimPresence(RegisteredClaims.NOT_BEFORE)
                 .withClaimPresence(RegisteredClaims.SUBJECT);
 
         if (isRoleClaimNotSubject) {
diff --git 
a/pulsar-broker-auth-oidc/src/test/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenIDTest.java
 
b/pulsar-broker-auth-oidc/src/test/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenIDTest.java
index 74abffe9c38..4cc3dcd46c7 100644
--- 
a/pulsar-broker-auth-oidc/src/test/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenIDTest.java
+++ 
b/pulsar-broker-auth-oidc/src/test/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenIDTest.java
@@ -18,6 +18,7 @@
  */
 package org.apache.pulsar.broker.authentication.oidc;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.testng.Assert.assertNull;
 import com.auth0.jwt.JWT;
 import com.auth0.jwt.interfaces.DecodedJWT;
@@ -174,6 +175,20 @@ public class AuthenticationProviderOpenIDTest {
                 () -> basicProvider.verifyJWT(keyPair.getPublic(), 
SignatureAlgorithm.RS256.getValue(), jwt));
     }
 
+    @Test
+    public void ensureWithoutNBFSucceeds() throws Exception {
+        KeyPair keyPair = Keys.keyPairFor(SignatureAlgorithm.RS256);
+        DefaultJwtBuilder defaultJwtBuilder = new DefaultJwtBuilder();
+        addValidMandatoryClaims(defaultJwtBuilder, basicProviderAudience);
+        // remove "nbf" claim
+        defaultJwtBuilder.setNotBefore(null);
+        defaultJwtBuilder.signWith(keyPair.getPrivate());
+        DecodedJWT jwt = JWT.decode(defaultJwtBuilder.compact());
+        assertThat(jwt.getNotBefore()).isNull();
+        assertThat(jwt.getClaims().get("nbf")).isNull();
+        basicProvider.verifyJWT(keyPair.getPublic(), 
SignatureAlgorithm.RS256.getValue(), jwt);
+    }
+
     @Test
     public void ensureFutureIATFails() throws Exception {
         KeyPair keyPair = Keys.keyPairFor(SignatureAlgorithm.RS256);