-
Notifications
You must be signed in to change notification settings - Fork 13.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KAFKA-15878: KIP-768 - Extend support for opaque (i.e. non-JWT) tokens in SASL/OAUTHBEARER #14818
Conversation
…racter set as per RFC-7650#2.1
KIP-768: Extend support for opaque (i.e. non-JWT) tokens in SASL/OAUTHBEARER
@jcme—I wrote and implemented KIP-768, so I'll take a look at this. Also, are you able to assign the Jira to yourself? Thanks! |
@jcme—Can you trigger a rebuild of the CI job? It looks like the last run didn't work. |
@jcme Thanks for the PR. Can you pls rebase the PR to latest trunk? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR!
Changes look good to me. Looking at 2.1 of the RFC, those missing characters are a pretty clear omission. Thanks for catching this!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jcme Thanks for the PR. LGTM
…s in SASL/OAUTHBEARER (apache#14818) # Overview * This change pertains to [SASL/OAUTHBEARER ](https://kafka.apache.org/documentation/#security_sasl_oauthbearer) mechanism of Kafka authentication. * Kafka clients can use [SASL/OAUTHBEARER ](https://kafka.apache.org/documentation/#security_sasl_oauthbearer) mechanism by overriding the [custom call back handlers](https://kafka.apache.org/documentation/#security_sasl_oauthbearer_prod) . * [KIP-768](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575) available from v3.1 further extends the mechanism with a production grade implementation. * Kafka's [SASL/OAUTHBEARER ](https://kafka.apache.org/documentation/#security_sasl_oauthbearer) mechanism currently **rejects the non-JWT (i.e. opaque) tokens**. This is because of a more restrictive set of characters than what [RFC-6750](https://datatracker.ietf.org/doc/html/rfc6750#section-2.1) recommends. * This JIRA can be considered an extension of [KIP-768](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575) to support the opaque tokens as well apart from the JWT tokens. # Solution * Have updated the regex in the the offending class to be compliant with the [RFC-6750](https://datatracker.ietf.org/doc/html/rfc6750#section-2.1) * Have provided a supporting test case that includes the possible character set defined in [RFC-6750](https://datatracker.ietf.org/doc/html/rfc6750#section-2.1) --------- Co-authored-by: Anuj Sharma <philomath.anuj@gmail.com> Co-authored-by: Jamie Holmes <jamie.holmes@tesco.com> Co-authored-by: Christopher Webb <31657038+cwebbtw@users.noreply.github.com> Reviewers: Manikumar Reddy <manikumar.reddy@gmail.com>, Kirk True <ktrue@confluent.io>
Overview
Solution