Missing nbf claim breaks OAuth2JWT

[oopjot]

When using OpenUnison's oauth2jwt authentication mechanism with Bitbucket Pipelines as the OIDC provider, the following NPE is thrown:

java.lang.NullPointerException: Cannot invoke "java.lang.Long.longValue()" 
because the return value of "org.json.simple.JSONObject.get(Object)" is null
    at com.tremolosecurity.proxy.auth.oauth2.OAuth2JWT.processToken(OAuth2JWT.java:229)

Bitbucket doesn't support adding that claim to the pipeline step token.
According to RFC 7519, this is an optional claim. Please consider making it optional in oauth2jwt authentication mechanism.

[mlbiam]

i don't see why not. we're cutting a new release in the next few days. Should be able to include this.

[mlbiam]

@oopjot is the iat claim included? i want to have some checking for lower bounds, like it can't be more then a certain number of minutes off of the current clock.

[oopjot]

@mlbiam iat and exp claims are included.

[mlbiam]

@oopjot try docker.io/tremolosecurity/betas:1.0.49, it defaults to a 5 min grace period based on iat. it's configurable, but haven't written the docs yet

[oopjot]

@mlbiam it works. Awaiting release. I appreciate, many thanks!