Remove nbf as a required claim

[andy-vertex]

Search before reporting

• I searched in the issues and found nothing similar.

Motivation

When using OIDC as the authentication provider, nbf is a required claim as seen in code here

When using Auth0 as a provider, which doesn't return the nbf field, it results in OIDC being unusable:
https://community.auth0.com/t/jwt-token-does-not-contain-nbf-claim-again/62350

Solution

I think the field should be removed or optional.

Alternatives

I don't know.

Anything else?

I am not sure what the required claims are based on but according to the comments above the required claims, it should mirror https://openid.net/specs/openid-connect-basic-1_0.html#IDToken but in that doc, nbf doesn't show up.

I also did find this Issue which is similar but instead for allowing aud to be optional but it was closed and I couldn't find the relevant changes made.

Are you willing to submit a PR?

• I'm willing to submit a PR!

[lhotari]

Looks like nbf might be mandatory also in the com.auth0:java-jwt library used in Pulsar: https://github.com/auth0/java-jwt/blob/ee7332b023719a9007be0caf5ef7608840fc4946/lib/src/main/java/com/auth0/jwt/JWTVerifier.java#L309-L310 .
Very odd since it's a library by Auth0.

[lhotari]

Looks like nbf might be mandatory also in the com.auth0:java-jwt library used in Pulsar: https://github.com/auth0/java-jwt/blob/ee7332b023719a9007be0caf5ef7608840fc4946/lib/src/main/java/com/auth0/jwt/JWTVerifier.java#L309-L310 . Very odd since it's a library by Auth0.

It's not mandatory after all in com.auth0:java-jwt. It's just that when the claim is present, it will be checked, which makes sense. I checked with a unit test. Pushing a PR to address this issue.

[lhotari]

PR in #25197

[qweasd1]

thank you so much @lhotari! feel free to close the issue and let us know when this new version will be out!