JWT acl rules are only applied if an exp claim is set

[flashspys]

What happened?

We used the JWT authentication and discovered that the acl claims are only working if the JWT also includes a valid exp date.

What did you expect to happen?

I expect this to be documented at least somewhere. I'm not even sure if this is a feature or a bug.

How can we reproduce it (as minimally and precisely as possible)?

{
  "clientid": "test",
  "acl": {"all": ["foonbar"]},
  "exp": 9999999999 // <- Without this, the acl is not respected
}

Anything else we need to know?

No response

EMQX version

$ ./bin/emqx_ctl broker
sysdescr  : EMQX
version   : 5.0.9
datetime  : 2022-10-24T13:51:56.988813849+00:00
uptime    : 30 minutes, 56 seconds

OS version

# On Linux:
$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
$ uname -a
Linux emqx 5.4.0-120-generic #136-Ubuntu SMP Fri Jun 10 13:40:48 UTC 2022 x86_64 GNU/Linux

Log files

2022-10-24T13:43:24.412288+00:00 [debug] clientid: felix1, line: 781, mfa: emqx_connection:handle_incoming/2, msg: mqtt_packet_received, packet: PUBLISH(Q0, R0, D0),Topic=r2gs, PacketId=undefinedPayload=asdf, peername: xxxxxxxxx:56683, tag: MQTT 2022-10-24T13:43:24.412678+00:00 [info] clientid: felix1, ipaddr: {79,194,165,144}, line: 367, mfa: emqx_authz:authorize_non_superuser/5, msg: authorization_failed_nomatch, peername: xxxxxxxxx:56683, reason: no-match rule, topic: r2gs, username: <<"felixr">> 2022-10-24T13:43:24.413023+00:00 [warning] clientid: felix1, line: 663, mfa: emqx_channel:process_publish/2, msg: cannot_publish_to_topic, peername: xxxxxxxxxxx:56683, reason: not_authorized, topic: r2gs

[lafirest]

@flashspys
Yes, after investigation I have confirmed that this is a bug and we will fix it later