jiazhai opened a new pull request #6716: [Issue #6711]: add audience verify in AuthenticationProviderToken URL: https://github.com/apache/pulsar/pull/6716 Fixes #6711 ### Motivation User like to be able to configure the JWT authentication provider to verify the audience on incoming tokens. I believe this will improve security because it would prevent a spoofer from reusing a token that was intended for another purpose (yet signed by the same issuer). [RFC 6749 section 4.1.3](https://tools.ietf.org/html/rfc7519#section-4.1.3) has some guidance on this. In my scenario, the token is an OAuth 2.0 token, and OAuth 2.0 makes extensive use of the audience claim ([ref](https://auth0.com/docs/tokens/guides/validate-access-tokens#check-additional-standard-claims)). 1. a configurable audience claim name (e.g. `aud`). 2. if audience isn't configured, do not validate the audience (for back-compatibility). 3. if audience is configured, validate that the value is present in the token. ### Modifications - Add the logic in AuthenticationProviderToken. - Add related tests. ### Verifying this change - Ut passed
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
