EronWright opened a new issue #6711: Support for audience claim in JWT token URL: https://github.com/apache/pulsar/issues/6711 **Is your feature request related to a problem? Please describe.** I'd like to be able to configure the JWT authentication provider to verify the audience on incoming tokens. I believe this will improve security because it would prevent a spoofer from reusing a token that was intended for another purpose (yet signed by the same issuer). [RFC 6749 section 4.1.3](https://tools.ietf.org/html/rfc7519#section-4.1.3) has some guidance on this. In my scenario, the token is an OAuth 2.0 token, and OAuth 2.0 makes extensive use of the audience claim ([ref](https://auth0.com/docs/tokens/guides/validate-access-tokens#check-additional-standard-claims)). **Describe the solution you'd like** I would like to add logic to `org.apache.pulsar.broker.authentication.AuthenticationProviderToken`: 1. a configurable audience claim name (e.g. `aud`). 2. if audience isn't configured, do not validate the audience (for back-compatibility). 3. if audience is configured, validate that the value is present in the token. 4. Note that the audience claim in a given token may be a string or an array of strings. In the latter case, the token has numerous audiences and we validate that the broker is one of those audiences. 5. Update the documentation to recommend the use of an audience claim in your tokens.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
