Skip to content

Remove nbf as a required claim #25190

@andy-vertex

Description

@andy-vertex

Search before reporting

  • I searched in the issues and found nothing similar.

Motivation

When using OIDC as the authentication provider, nbf is a required claim as seen in code here

When using Auth0 as a provider, which doesn't return the nbf field, it results in OIDC being unusable:
https://community.auth0.com/t/jwt-token-does-not-contain-nbf-claim-again/62350

Solution

I think the field should be removed or optional.

Alternatives

I don't know.

Anything else?

I am not sure what the required claims are based on but according to the comments above the required claims, it should mirror https://openid.net/specs/openid-connect-basic-1_0.html#IDToken but in that doc, nbf doesn't show up.

I also did find this Issue which is similar but instead for allowing aud to be optional but it was closed and I couldn't find the relevant changes made.

Are you willing to submit a PR?

  • I'm willing to submit a PR!

Metadata

Metadata

Assignees

Labels

type/enhancementThe enhancements for the existing features or docs. e.g. reduce memory usage of the delayed messages

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions