This is an automated email from the ASF dual-hosted git repository.
manikumar pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/trunk by this push:
new 8e43548175d KAFKA-13725: KIP-768 OAuth code mixes public and internal
classes in same package (#12039)
8e43548175d is described below
commit 8e43548175db086cbedf1b990e17c80dc438d55e
Author: Kirk True <[email protected]>
AuthorDate: Fri Sep 23 00:45:15 2022 -0700
KAFKA-13725: KIP-768 OAuth code mixes public and internal classes in same
package (#12039)
* KAFKA-13725: KIP-768 OAuth code mixes public and internal classes in same
package
Move classes into a sub-package of "internal" named "secured" that
matches the layout more closely of the "unsecured" package.
Replaces the concrete implementations in the former packages with
sub-classes of the new package layout and marks them as deprecated. If
anyone is already using the newer OAuth code, this should still work.
* Fix checkstyle and spotbugs violations
Co-authored-by: Kirk True <[email protected]>
Reviewers: Manikumar Reddy <[email protected]>
---
checkstyle/import-control.xml | 4 +-
.../OAuthBearerLoginCallbackHandler.java | 20 +-
.../OAuthBearerValidatorCallbackHandler.java | 20 +-
.../secured/AccessTokenRetriever.java | 2 +-
.../secured/AccessTokenRetrieverFactory.java | 8 +-
.../secured/AccessTokenValidator.java | 2 +-
.../secured/AccessTokenValidatorFactory.java | 2 +-
.../secured/BasicOAuthBearerToken.java | 2 +-
.../secured/ClaimValidationUtils.java | 2 +-
.../secured/CloseableVerificationKeyResolver.java | 4 +-
.../secured/ConfigurationUtils.java | 2 +-
.../secured/FileTokenRetriever.java | 2 +-
.../secured/HttpAccessTokenRetriever.java | 3 +-
.../{ => internals}/secured/Initable.java | 2 +-
.../{ => internals}/secured/JaasOptionsUtils.java | 2 +-
.../secured/JwksFileVerificationKeyResolver.java | 2 +-
.../secured/LoginAccessTokenValidator.java | 2 +-
.../secured/RefreshingHttpsJwks.java | 2 +-
...RefreshingHttpsJwksVerificationKeyResolver.java | 2 +-
.../oauthbearer/{ => internals}/secured/Retry.java | 2 +-
.../{ => internals}/secured/Retryable.java | 2 +-
.../{ => internals}/secured/SerializedJwt.java | 2 +-
.../secured/UnretryableException.java | 2 +-
.../{ => internals}/secured/ValidateException.java | 2 +-
.../secured/ValidatorAccessTokenValidator.java | 2 +-
.../secured/VerificationKeyResolverFactory.java | 2 +-
.../secured/OAuthBearerLoginCallbackHandler.java | 272 +--------------------
.../OAuthBearerValidatorCallbackHandler.java | 256 +------------------
.../OAuthBearerLoginCallbackHandlerTest.java | 15 +-
.../OAuthBearerValidatorCallbackHandlerTest.java | 9 +-
.../secured/AccessTokenBuilder.java | 2 +-
.../secured/AccessTokenRetrieverFactoryTest.java | 2 +-
.../secured/AccessTokenValidatorFactoryTest.java | 3 +-
.../secured/AccessTokenValidatorTest.java | 2 +-
.../secured/BasicOAuthBearerTokenTest.java | 2 +-
.../secured/ClaimValidationUtilsTest.java | 3 +-
.../secured/ConfigurationUtilsTest.java | 2 +-
.../secured/HttpAccessTokenRetrieverTest.java | 3 +-
.../secured/JaasOptionsUtilsTest.java | 2 +-
.../secured/LoginAccessTokenValidatorTest.java | 2 +-
.../{ => internals}/secured/OAuthBearerTest.java | 2 +-
.../secured/RefreshingHttpsJwksTest.java | 7 +-
.../{ => internals}/secured/RetryTest.java | 3 +-
.../secured/ValidatorAccessTokenValidatorTest.java | 2 +-
gradle/spotbugs-exclude.xml | 5 +
.../apache/kafka/tools/OAuthCompatibilityTool.java | 24 +-
46 files changed, 110 insertions(+), 607 deletions(-)
diff --git a/checkstyle/import-control.xml b/checkstyle/import-control.xml
index 45dc28d9e3a..41b6fb7f676 100644
--- a/checkstyle/import-control.xml
+++ b/checkstyle/import-control.xml
@@ -139,9 +139,7 @@
</subpackage>
<subpackage name="oauthbearer">
<allow pkg="com.fasterxml.jackson.databind" />
- <subpackage name="secured">
- <allow pkg="org.jose4j" />
- </subpackage>
+ <allow pkg="org.jose4j" />
</subpackage>
</subpackage>
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerLoginCallbackHandler.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandler.java
similarity index 93%
copy from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerLoginCallbackHandler.java
copy to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandler.java
index da426f05445..dce506f50e9 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerLoginCallbackHandler.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandler.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer;
import static
org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL;
@@ -34,9 +34,13 @@ import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.SaslExtensions;
import org.apache.kafka.common.security.auth.SaslExtensionsCallback;
-import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
-import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import
org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerClientInitialResponse;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenRetriever;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenRetrieverFactory;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidatorFactory;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.JaasOptionsUtils;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.ValidateException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -71,7 +75,7 @@ import org.slf4j.LoggerFactory;
* configuration like so:
*
* <code>
- *
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
+ *
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler
* </code>
* </p>
*
@@ -81,7 +85,7 @@ import org.slf4j.LoggerFactory;
* <code>listener.name.<listener
name>.oauthbearer.sasl.login.callback.handler.class</code> like so:
*
* <code>
- * listener.name.<listener
name>.oauthbearer.sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
+ * listener.name.<listener
name>.oauthbearer.sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler
* </code>
* </p>
*
@@ -188,11 +192,7 @@ public class OAuthBearerLoginCallbackHandler implements
AuthenticateCallbackHand
init(accessTokenRetriever, accessTokenValidator);
}
- /*
- * Package-visible for testing.
- */
-
- void init(AccessTokenRetriever accessTokenRetriever, AccessTokenValidator
accessTokenValidator) {
+ public void init(AccessTokenRetriever accessTokenRetriever,
AccessTokenValidator accessTokenValidator) {
this.accessTokenRetriever = accessTokenRetriever;
this.accessTokenValidator = accessTokenValidator;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerValidatorCallbackHandler.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerValidatorCallbackHandler.java
similarity index 91%
copy from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerValidatorCallbackHandler.java
copy to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerValidatorCallbackHandler.java
index 5ba737885e4..2d296b545bb 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerValidatorCallbackHandler.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerValidatorCallbackHandler.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer;
import java.io.IOException;
import java.security.Key;
@@ -29,9 +29,13 @@ import
javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
-import
org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback;
-import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
-import
org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidatorFactory;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.JaasOptionsUtils;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.RefreshingHttpsJwksVerificationKeyResolver;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.ValidateException;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.VerificationKeyResolverFactory;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.lang.UnresolvableKeyException;
@@ -55,7 +59,7 @@ import org.slf4j.LoggerFactory;
* like so:
*
* <code>
- * listener.name.<listener
name>.oauthbearer.sasl.server.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler
+ * listener.name.<listener
name>.oauthbearer.sasl.server.callback.handler.class=org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallbackHandler
* </code>
* </p>
*
@@ -132,11 +136,7 @@ public class OAuthBearerValidatorCallbackHandler
implements AuthenticateCallback
init(verificationKeyResolver, accessTokenValidator);
}
- /*
- * Package-visible for testing.
- */
-
- void init(CloseableVerificationKeyResolver verificationKeyResolver,
AccessTokenValidator accessTokenValidator) {
+ public void init(CloseableVerificationKeyResolver verificationKeyResolver,
AccessTokenValidator accessTokenValidator) {
this.verificationKeyResolver = verificationKeyResolver;
this.accessTokenValidator = accessTokenValidator;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenRetriever.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenRetriever.java
similarity index 97%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenRetriever.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenRetriever.java
index e4ae5993f6f..080ea4515b4 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenRetriever.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenRetriever.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.io.Closeable;
import java.io.IOException;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenRetrieverFactory.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenRetrieverFactory.java
similarity index 89%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenRetrieverFactory.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenRetrieverFactory.java
index e7b3b5ccc29..ac224730597 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenRetrieverFactory.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenRetrieverFactory.java
@@ -15,16 +15,16 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import static
org.apache.kafka.common.config.SaslConfigs.SASL_LOGIN_CONNECT_TIMEOUT_MS;
import static
org.apache.kafka.common.config.SaslConfigs.SASL_LOGIN_READ_TIMEOUT_MS;
import static
org.apache.kafka.common.config.SaslConfigs.SASL_LOGIN_RETRY_BACKOFF_MAX_MS;
import static
org.apache.kafka.common.config.SaslConfigs.SASL_LOGIN_RETRY_BACKOFF_MS;
import static
org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL;
-import static
org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler.CLIENT_ID_CONFIG;
-import static
org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler.CLIENT_SECRET_CONFIG;
-import static
org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler.SCOPE_CONFIG;
+import static
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.CLIENT_ID_CONFIG;
+import static
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.CLIENT_SECRET_CONFIG;
+import static
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.SCOPE_CONFIG;
import java.net.URL;
import java.util.Locale;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenValidator.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenValidator.java
similarity index 97%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenValidator.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenValidator.java
index 2a8c2b0f3e8..0b107a09bc0 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenValidator.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenValidator.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenValidatorFactory.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenValidatorFactory.java
similarity index 97%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenValidatorFactory.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenValidatorFactory.java
index 232ebc1c7df..cba51c3b855 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenValidatorFactory.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenValidatorFactory.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import static
org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_CLOCK_SKEW_SECONDS;
import static
org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_EXPECTED_AUDIENCE;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/BasicOAuthBearerToken.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/BasicOAuthBearerToken.java
similarity index 98%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/BasicOAuthBearerToken.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/BasicOAuthBearerToken.java
index 8527f806938..c35dfa7b17c 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/BasicOAuthBearerToken.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/BasicOAuthBearerToken.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.util.Set;
import java.util.StringJoiner;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/ClaimValidationUtils.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ClaimValidationUtils.java
similarity index 98%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/ClaimValidationUtils.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ClaimValidationUtils.java
index bb08ec52b7c..5bf5ef068ed 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/ClaimValidationUtils.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ClaimValidationUtils.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.util.Collection;
import java.util.Collections;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/CloseableVerificationKeyResolver.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/CloseableVerificationKeyResolver.java
similarity index 92%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/CloseableVerificationKeyResolver.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/CloseableVerificationKeyResolver.java
index b74aaa1425a..d18b8273bbb 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/CloseableVerificationKeyResolver.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/CloseableVerificationKeyResolver.java
@@ -15,10 +15,12 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.io.Closeable;
import java.io.IOException;
+
+import
org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallbackHandler;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
/**
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/ConfigurationUtils.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ConfigurationUtils.java
similarity index 99%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/ConfigurationUtils.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ConfigurationUtils.java
index f17295d2e58..99bc20661bb 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/ConfigurationUtils.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ConfigurationUtils.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.io.File;
import java.net.MalformedURLException;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/FileTokenRetriever.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/FileTokenRetriever.java
similarity index 96%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/FileTokenRetriever.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/FileTokenRetriever.java
index 3ffa4c89d06..6ffd9ad611d 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/FileTokenRetriever.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/FileTokenRetriever.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.io.IOException;
import java.nio.file.Path;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/HttpAccessTokenRetriever.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java
similarity index 99%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/HttpAccessTokenRetriever.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java
index b92a6c3ea1f..78917de6f1e 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/HttpAccessTokenRetriever.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
@@ -40,6 +40,7 @@ import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSocketFactory;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.SaslConfigs;
+import
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler;
import org.apache.kafka.common.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/Initable.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/Initable.java
similarity index 94%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/Initable.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/Initable.java
index bf4115e8242..0a38f2b5094 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/Initable.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/Initable.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.io.IOException;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/JaasOptionsUtils.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/JaasOptionsUtils.java
similarity index 98%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/JaasOptionsUtils.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/JaasOptionsUtils.java
index e728881545b..83976de73ab 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/JaasOptionsUtils.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/JaasOptionsUtils.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.net.URL;
import java.util.Collections;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/JwksFileVerificationKeyResolver.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/JwksFileVerificationKeyResolver.java
similarity index 98%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/JwksFileVerificationKeyResolver.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/JwksFileVerificationKeyResolver.java
index 19ed74930a5..605ee45b929 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/JwksFileVerificationKeyResolver.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/JwksFileVerificationKeyResolver.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.io.IOException;
import java.nio.file.Path;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/LoginAccessTokenValidator.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/LoginAccessTokenValidator.java
similarity index 98%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/LoginAccessTokenValidator.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/LoginAccessTokenValidator.java
index b67ffb2b579..76cc7a9404d 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/LoginAccessTokenValidator.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/LoginAccessTokenValidator.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import static
org.apache.kafka.common.config.SaslConfigs.DEFAULT_SASL_OAUTHBEARER_SCOPE_CLAIM_NAME;
import static
org.apache.kafka.common.config.SaslConfigs.DEFAULT_SASL_OAUTHBEARER_SUB_CLAIM_NAME;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/RefreshingHttpsJwks.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/RefreshingHttpsJwks.java
similarity index 99%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/RefreshingHttpsJwks.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/RefreshingHttpsJwks.java
index 4003a4451db..ef746fbb11e 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/RefreshingHttpsJwks.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/RefreshingHttpsJwks.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.io.Closeable;
import java.io.IOException;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/RefreshingHttpsJwksVerificationKeyResolver.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/RefreshingHttpsJwksVerificationKeyResolver.java
similarity index 98%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/RefreshingHttpsJwksVerificationKeyResolver.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/RefreshingHttpsJwksVerificationKeyResolver.java
index b496720c2cb..f74629bc5e1 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/RefreshingHttpsJwksVerificationKeyResolver.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/RefreshingHttpsJwksVerificationKeyResolver.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.io.IOException;
import java.security.Key;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/Retry.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/Retry.java
similarity index 98%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/Retry.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/Retry.java
index d0379ee4859..db52e8b15e8 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/Retry.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/Retry.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.util.concurrent.ExecutionException;
import org.apache.kafka.common.utils.Time;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/Retryable.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/Retryable.java
similarity index 95%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/Retryable.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/Retryable.java
index 67967ad8a87..46752f3ea60 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/Retryable.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/Retryable.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.util.concurrent.ExecutionException;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/SerializedJwt.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/SerializedJwt.java
similarity index 97%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/SerializedJwt.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/SerializedJwt.java
index 962d720883f..6456e8b06c3 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/SerializedJwt.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/SerializedJwt.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
/**
* SerializedJwt provides a modicum of structure and validation around a JWT's
serialized form by
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/UnretryableException.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/UnretryableException.java
similarity index 94%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/UnretryableException.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/UnretryableException.java
index 1964cfb1a23..73446cd4bc0 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/UnretryableException.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/UnretryableException.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import org.apache.kafka.common.KafkaException;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/ValidateException.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ValidateException.java
similarity index 95%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/ValidateException.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ValidateException.java
index 2ebebeb31cd..7ebb4deb989 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/ValidateException.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ValidateException.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import javax.security.auth.callback.Callback;
import org.apache.kafka.common.KafkaException;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/ValidatorAccessTokenValidator.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ValidatorAccessTokenValidator.java
similarity index 99%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/ValidatorAccessTokenValidator.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ValidatorAccessTokenValidator.java
index 71d549153bb..5f51d456efd 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/ValidatorAccessTokenValidator.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ValidatorAccessTokenValidator.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import static org.jose4j.jwa.AlgorithmConstraints.DISALLOW_NONE;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/VerificationKeyResolverFactory.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/VerificationKeyResolverFactory.java
similarity index 98%
rename from
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/VerificationKeyResolverFactory.java
rename to
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/VerificationKeyResolverFactory.java
index b6ec46a5a47..3eb8dd64ba1 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/VerificationKeyResolverFactory.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/VerificationKeyResolverFactory.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import static
org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_REFRESH_MS;
import static
org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_RETRY_BACKOFF_MAX_MS;
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerLoginCallbackHandler.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerLoginCallbackHandler.java
index da426f05445..68780a2c94e 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerLoginCallbackHandler.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerLoginCallbackHandler.java
@@ -17,277 +17,11 @@
package org.apache.kafka.common.security.oauthbearer.secured;
-import static
org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL;
-
-import java.io.IOException;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import javax.security.auth.login.AppConfigurationEntry;
-import javax.security.sasl.SaslException;
-
-import org.apache.kafka.common.KafkaException;
-import org.apache.kafka.common.config.ConfigDef;
-import org.apache.kafka.common.config.ConfigException;
-import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
-import org.apache.kafka.common.security.auth.SaslExtensions;
-import org.apache.kafka.common.security.auth.SaslExtensionsCallback;
-import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
-import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
-import
org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerClientInitialResponse;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
/**
- * <p>
- * <code>OAuthBearerLoginCallbackHandler</code> is an {@link
AuthenticateCallbackHandler} that
- * accepts {@link OAuthBearerTokenCallback} and {@link SaslExtensionsCallback}
callbacks to
- * perform the steps to request a JWT from an OAuth/OIDC provider using the
- * <code>clientcredentials</code>. This grant type is commonly used for
non-interactive
- * "service accounts" where there is no user available to interactively supply
credentials.
- * </p>
- *
- * <p>
- * The <code>OAuthBearerLoginCallbackHandler</code> is used on the client side
to retrieve a JWT
- * and the {@link OAuthBearerValidatorCallbackHandler} is used on the broker
to validate the JWT
- * that was sent to it by the client to allow access. Both the brokers and
clients will need to
- * be configured with their appropriate callback handlers and respective
configuration for OAuth
- * functionality to work.
- * </p>
- *
- * <p>
- * Note that while this callback handler class must be specified for a Kafka
client that wants to
- * use OAuth functionality, in the case of OAuth-based inter-broker
communication, the callback
- * handler must be used on the Kafka broker side as well.
- * {@link }
- * </p>
- *
- * <p>
- * This {@link AuthenticateCallbackHandler} is enabled by specifying its class
name in the Kafka
- * configuration. For client use, specify the class name in the
- * {@link
org.apache.kafka.common.config.SaslConfigs#SASL_LOGIN_CALLBACK_HANDLER_CLASS}
- * configuration like so:
- *
- * <code>
- *
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
- * </code>
- * </p>
- *
- * <p>
- * If using OAuth login on the broker side (for inter-broker communication),
the callback handler
- * class will be specified with a listener-based property:
- * <code>listener.name.<listener
name>.oauthbearer.sasl.login.callback.handler.class</code> like so:
- *
- * <code>
- * listener.name.<listener
name>.oauthbearer.sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
- * </code>
- * </p>
- *
- * <p>
- * The Kafka configuration must also include JAAS configuration which includes
the following
- * OAuth-specific options:
- *
- * <ul>
- * <li><code>clientId</code>OAuth client ID (required)</li>
- * <li><code>clientSecret</code>OAuth client secret (required)</li>
- * <li><code>scope</code>OAuth scope (optional)</li>
- * </ul>
- * </p>
- *
- * <p>
- * The JAAS configuration can also include any SSL options that are needed.
The configuration
- * options are the same as those specified by the configuration in
- * {@link
org.apache.kafka.common.config.SslConfigs#addClientSslSupport(ConfigDef)}.
- * </p>
- *
- * <p>
- * Here's an example of the JAAS configuration for a Kafka client:
- *
- * <code>
- *
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule
required \
- * clientId="foo" \
- * clientSecret="bar" \
- * scope="baz" \
- * ssl.protocol="SSL" ;
- * </code>
- * </p>
- *
- * <p>
- * The configuration option
- * {@link
org.apache.kafka.common.config.SaslConfigs#SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL}
- * is also required in order for the client to contact the OAuth/OIDC
provider. For example:
- *
- * <code>
- * sasl.oauthbearer.token.endpoint.url=https://example.com/oauth2/v1/token
- * </code>
- *
- * Please see the OAuth/OIDC providers documentation for the token endpoint
URL.
- * </p>
- *
- * <p>
- * The following is a list of all the configuration options that are available
for the login
- * callback handler:
- *
- * <ul>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_LOGIN_CALLBACK_HANDLER_CLASS}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_LOGIN_CONNECT_TIMEOUT_MS}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_LOGIN_READ_TIMEOUT_MS}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_LOGIN_RETRY_BACKOFF_MS}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_LOGIN_RETRY_BACKOFF_MAX_MS}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_JAAS_CONFIG}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_OAUTHBEARER_SCOPE_CLAIM_NAME}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_OAUTHBEARER_SUB_CLAIM_NAME}</li>
- * </ul>
- * </p>
+ * @deprecated See
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler
*/
-public class OAuthBearerLoginCallbackHandler implements
AuthenticateCallbackHandler {
-
- private static final Logger log =
LoggerFactory.getLogger(OAuthBearerLoginCallbackHandler.class);
-
- public static final String CLIENT_ID_CONFIG = "clientId";
- public static final String CLIENT_SECRET_CONFIG = "clientSecret";
- public static final String SCOPE_CONFIG = "scope";
-
- public static final String CLIENT_ID_DOC = "The OAuth/OIDC identity
provider-issued " +
- "client ID to uniquely identify the service account to use for
authentication for " +
- "this client. The value must be paired with a corresponding " +
CLIENT_SECRET_CONFIG + " " +
- "value and is provided to the OAuth provider using the OAuth " +
- "clientcredentials grant type.";
-
- public static final String CLIENT_SECRET_DOC = "The OAuth/OIDC identity
provider-issued " +
- "client secret serves a similar function as a password to the " +
CLIENT_ID_CONFIG + " " +
- "account and identifies the service account to use for authentication
for " +
- "this client. The value must be paired with a corresponding " +
CLIENT_ID_CONFIG + " " +
- "value and is provided to the OAuth provider using the OAuth " +
- "clientcredentials grant type.";
-
- public static final String SCOPE_DOC = "The (optional) HTTP/HTTPS login
request to the " +
- "token endpoint (" + SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL + ") may need
to specify an " +
- "OAuth \"scope\". If so, the " + SCOPE_CONFIG + " is used to provide
the value to " +
- "include with the login request.";
-
- private static final String EXTENSION_PREFIX = "extension_";
-
- private Map<String, Object> moduleOptions;
-
- private AccessTokenRetriever accessTokenRetriever;
-
- private AccessTokenValidator accessTokenValidator;
-
- private boolean isInitialized = false;
-
- @Override
- public void configure(Map<String, ?> configs, String saslMechanism,
List<AppConfigurationEntry> jaasConfigEntries) {
- moduleOptions = JaasOptionsUtils.getOptions(saslMechanism,
jaasConfigEntries);
- AccessTokenRetriever accessTokenRetriever =
AccessTokenRetrieverFactory.create(configs, saslMechanism, moduleOptions);
- AccessTokenValidator accessTokenValidator =
AccessTokenValidatorFactory.create(configs, saslMechanism);
- init(accessTokenRetriever, accessTokenValidator);
- }
-
- /*
- * Package-visible for testing.
- */
-
- void init(AccessTokenRetriever accessTokenRetriever, AccessTokenValidator
accessTokenValidator) {
- this.accessTokenRetriever = accessTokenRetriever;
- this.accessTokenValidator = accessTokenValidator;
-
- try {
- this.accessTokenRetriever.init();
- } catch (IOException e) {
- throw new KafkaException("The OAuth login configuration
encountered an error when initializing the AccessTokenRetriever", e);
- }
-
- isInitialized = true;
- }
-
- /*
- * Package-visible for testing.
- */
-
- AccessTokenRetriever getAccessTokenRetriever() {
- return accessTokenRetriever;
- }
-
- @Override
- public void close() {
- if (accessTokenRetriever != null) {
- try {
- this.accessTokenRetriever.close();
- } catch (IOException e) {
- log.warn("The OAuth login configuration encountered an error
when closing the AccessTokenRetriever", e);
- }
- }
- }
-
- @Override
- public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
- checkInitialized();
-
- for (Callback callback : callbacks) {
- if (callback instanceof OAuthBearerTokenCallback) {
- handleTokenCallback((OAuthBearerTokenCallback) callback);
- } else if (callback instanceof SaslExtensionsCallback) {
- handleExtensionsCallback((SaslExtensionsCallback) callback);
- } else {
- throw new UnsupportedCallbackException(callback);
- }
- }
- }
-
- private void handleTokenCallback(OAuthBearerTokenCallback callback) throws
IOException {
- checkInitialized();
- String accessToken = accessTokenRetriever.retrieve();
-
- try {
- OAuthBearerToken token =
accessTokenValidator.validate(accessToken);
- callback.token(token);
- } catch (ValidateException e) {
- log.warn(e.getMessage(), e);
- callback.error("invalid_token", e.getMessage(), null);
- }
- }
-
- private void handleExtensionsCallback(SaslExtensionsCallback callback) {
- checkInitialized();
-
- Map<String, String> extensions = new HashMap<>();
-
- for (Map.Entry<String, Object> configEntry :
this.moduleOptions.entrySet()) {
- String key = configEntry.getKey();
-
- if (!key.startsWith(EXTENSION_PREFIX))
- continue;
-
- Object valueRaw = configEntry.getValue();
- String value;
-
- if (valueRaw instanceof String)
- value = (String) valueRaw;
- else
- value = String.valueOf(valueRaw);
-
- extensions.put(key.substring(EXTENSION_PREFIX.length()), value);
- }
-
- SaslExtensions saslExtensions = new SaslExtensions(extensions);
-
- try {
-
OAuthBearerClientInitialResponse.validateExtensions(saslExtensions);
- } catch (SaslException e) {
- throw new ConfigException(e.getMessage());
- }
-
- callback.extensions(saslExtensions);
- }
-
- private void checkInitialized() {
- if (!isInitialized)
- throw new IllegalStateException(String.format("To use %s, first
call the configure or init method", getClass().getSimpleName()));
- }
+@Deprecated
+public class OAuthBearerLoginCallbackHandler extends
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler {
}
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerValidatorCallbackHandler.java
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerValidatorCallbackHandler.java
index 5ba737885e4..817f53b9cb1 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerValidatorCallbackHandler.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerValidatorCallbackHandler.java
@@ -17,261 +17,11 @@
package org.apache.kafka.common.security.oauthbearer.secured;
-import java.io.IOException;
-import java.security.Key;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Objects;
-import java.util.concurrent.atomic.AtomicInteger;
-import javax.security.auth.callback.Callback;
-import javax.security.auth.callback.UnsupportedCallbackException;
-import javax.security.auth.login.AppConfigurationEntry;
-import org.apache.kafka.common.KafkaException;
-import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
-import
org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback;
-import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
-import
org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
-import org.jose4j.jws.JsonWebSignature;
-import org.jose4j.jwx.JsonWebStructure;
-import org.jose4j.lang.UnresolvableKeyException;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
/**
- * <p>
- * <code>OAuthBearerValidatorCallbackHandler</code> is an {@link
AuthenticateCallbackHandler} that
- * accepts {@link OAuthBearerValidatorCallback} and {@link
OAuthBearerExtensionsValidatorCallback}
- * callbacks to implement OAuth/OIDC validation. This callback handler is
intended only to be used
- * on the Kafka broker side as it will receive a {@link
OAuthBearerValidatorCallback} that includes
- * the JWT provided by the Kafka client. That JWT is validated in terms of
format, expiration,
- * signature, and audience and issuer (if desired). This callback handler is
the broker side of the
- * OAuth functionality, whereas {@link OAuthBearerLoginCallbackHandler} is
used by clients.
- * </p>
- *
- * <p>
- * This {@link AuthenticateCallbackHandler} is enabled in the broker
configuration by setting the
- * {@link
org.apache.kafka.common.config.internals.BrokerSecurityConfigs#SASL_SERVER_CALLBACK_HANDLER_CLASS}
- * like so:
- *
- * <code>
- * listener.name.<listener
name>.oauthbearer.sasl.server.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler
- * </code>
- * </p>
- *
- * <p>
- * The JAAS configuration for OAuth is also needed. If using OAuth for
inter-broker communication,
- * the options are those specified in {@link OAuthBearerLoginCallbackHandler}.
- * </p>
- *
- * <p>
- * The configuration option
- * {@link
org.apache.kafka.common.config.SaslConfigs#SASL_OAUTHBEARER_JWKS_ENDPOINT_URL}
- * is also required in order to contact the OAuth/OIDC provider to retrieve
the JWKS for use in
- * JWT signature validation. For example:
- *
- * <code>
- * listener.name.<listener
name>.oauthbearer.sasl.oauthbearer.jwks.endpoint.url=https://example.com/oauth2/v1/keys
- * </code>
- *
- * Please see the OAuth/OIDC providers documentation for the JWKS endpoint URL.
- * </p>
- *
- * <p>
- * The following is a list of all the configuration options that are available
for the broker
- * validation callback handler:
- *
- * <ul>
- * <li>{@link
org.apache.kafka.common.config.internals.BrokerSecurityConfigs#SASL_SERVER_CALLBACK_HANDLER_CLASS}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_JAAS_CONFIG}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_OAUTHBEARER_CLOCK_SKEW_SECONDS}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_OAUTHBEARER_EXPECTED_AUDIENCE}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_OAUTHBEARER_EXPECTED_ISSUER}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_OAUTHBEARER_JWKS_ENDPOINT_REFRESH_MS}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_OAUTHBEARER_JWKS_ENDPOINT_RETRY_BACKOFF_MAX_MS}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_OAUTHBEARER_JWKS_ENDPOINT_RETRY_BACKOFF_MS}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_OAUTHBEARER_JWKS_ENDPOINT_URL}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_OAUTHBEARER_SCOPE_CLAIM_NAME}</li>
- * <li>{@link
org.apache.kafka.common.config.SaslConfigs#SASL_OAUTHBEARER_SUB_CLAIM_NAME}</li>
- * </ul>
- * </p>
+ * @deprecated See
org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallbackHandler
*/
-public class OAuthBearerValidatorCallbackHandler implements
AuthenticateCallbackHandler {
-
- private static final Logger log =
LoggerFactory.getLogger(OAuthBearerValidatorCallbackHandler.class);
-
- /**
- * Because a {@link CloseableVerificationKeyResolver} instance can spawn
threads and issue
- * HTTP(S) calls ({@link RefreshingHttpsJwksVerificationKeyResolver}), we
only want to create
- * a new instance for each particular set of configuration. Because each
set of configuration
- * may have multiple instances, we want to reuse the single instance.
- */
-
- private static final Map<VerificationKeyResolverKey,
CloseableVerificationKeyResolver> VERIFICATION_KEY_RESOLVER_CACHE = new
HashMap<>();
-
- private CloseableVerificationKeyResolver verificationKeyResolver;
-
- private AccessTokenValidator accessTokenValidator;
-
- private boolean isInitialized = false;
-
- @Override
- public void configure(Map<String, ?> configs, String saslMechanism,
List<AppConfigurationEntry> jaasConfigEntries) {
- Map<String, Object> moduleOptions =
JaasOptionsUtils.getOptions(saslMechanism, jaasConfigEntries);
- CloseableVerificationKeyResolver verificationKeyResolver;
-
- // Here's the logic which keeps our VerificationKeyResolvers down to a
single instance.
- synchronized (VERIFICATION_KEY_RESOLVER_CACHE) {
- VerificationKeyResolverKey key = new
VerificationKeyResolverKey(configs, moduleOptions);
- verificationKeyResolver =
VERIFICATION_KEY_RESOLVER_CACHE.computeIfAbsent(key, k ->
- new
RefCountingVerificationKeyResolver(VerificationKeyResolverFactory.create(configs,
saslMechanism, moduleOptions)));
- }
-
- AccessTokenValidator accessTokenValidator =
AccessTokenValidatorFactory.create(configs, saslMechanism,
verificationKeyResolver);
- init(verificationKeyResolver, accessTokenValidator);
- }
-
- /*
- * Package-visible for testing.
- */
-
- void init(CloseableVerificationKeyResolver verificationKeyResolver,
AccessTokenValidator accessTokenValidator) {
- this.verificationKeyResolver = verificationKeyResolver;
- this.accessTokenValidator = accessTokenValidator;
-
- try {
- verificationKeyResolver.init();
- } catch (Exception e) {
- throw new KafkaException("The OAuth validator configuration
encountered an error when initializing the VerificationKeyResolver", e);
- }
-
- isInitialized = true;
- }
-
- @Override
- public void close() {
- if (verificationKeyResolver != null) {
- try {
- verificationKeyResolver.close();
- } catch (Exception e) {
- log.error(e.getMessage(), e);
- }
- }
- }
-
- @Override
- public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
- checkInitialized();
-
- for (Callback callback : callbacks) {
- if (callback instanceof OAuthBearerValidatorCallback) {
- handleValidatorCallback((OAuthBearerValidatorCallback)
callback);
- } else if (callback instanceof
OAuthBearerExtensionsValidatorCallback) {
-
handleExtensionsValidatorCallback((OAuthBearerExtensionsValidatorCallback)
callback);
- } else {
- throw new UnsupportedCallbackException(callback);
- }
- }
- }
-
- private void handleValidatorCallback(OAuthBearerValidatorCallback
callback) {
- checkInitialized();
-
- OAuthBearerToken token;
-
- try {
- token = accessTokenValidator.validate(callback.tokenValue());
- callback.token(token);
- } catch (ValidateException e) {
- log.warn(e.getMessage(), e);
- callback.error("invalid_token", null, null);
- }
- }
-
- private void
handleExtensionsValidatorCallback(OAuthBearerExtensionsValidatorCallback
extensionsValidatorCallback) {
- checkInitialized();
-
-
extensionsValidatorCallback.inputExtensions().map().forEach((extensionName, v)
-> extensionsValidatorCallback.valid(extensionName));
- }
-
- private void checkInitialized() {
- if (!isInitialized)
- throw new IllegalStateException(String.format("To use %s, first
call the configure or init method", getClass().getSimpleName()));
- }
-
- /**
- * <code>VkrKey</code> is a simple structure which encapsulates the
criteria for different
- * sets of configuration. This will allow us to use this object as a key
in a {@link Map}
- * to keep a single instance per key.
- */
-
- private static class VerificationKeyResolverKey {
-
- private final Map<String, ?> configs;
-
- private final Map<String, Object> moduleOptions;
-
- public VerificationKeyResolverKey(Map<String, ?> configs, Map<String,
Object> moduleOptions) {
- this.configs = configs;
- this.moduleOptions = moduleOptions;
- }
-
- @Override
- public boolean equals(Object o) {
- if (this == o) {
- return true;
- }
-
- if (o == null || getClass() != o.getClass()) {
- return false;
- }
-
- VerificationKeyResolverKey that = (VerificationKeyResolverKey) o;
- return configs.equals(that.configs) &&
moduleOptions.equals(that.moduleOptions);
- }
-
- @Override
- public int hashCode() {
- return Objects.hash(configs, moduleOptions);
- }
-
- }
-
- /**
- * <code>RefCountingVerificationKeyResolver</code> allows us to share a
single
- * {@link CloseableVerificationKeyResolver} instance between multiple
- * {@link AuthenticateCallbackHandler} instances and perform the lifecycle
methods the
- * appropriate number of times.
- */
-
- private static class RefCountingVerificationKeyResolver implements
CloseableVerificationKeyResolver {
-
- private final CloseableVerificationKeyResolver delegate;
-
- private final AtomicInteger count = new AtomicInteger(0);
-
- public
RefCountingVerificationKeyResolver(CloseableVerificationKeyResolver delegate) {
- this.delegate = delegate;
- }
-
- @Override
- public Key resolveKey(JsonWebSignature jws, List<JsonWebStructure>
nestingContext) throws UnresolvableKeyException {
- return delegate.resolveKey(jws, nestingContext);
- }
-
- @Override
- public void init() throws IOException {
- if (count.incrementAndGet() == 1)
- delegate.init();
- }
-
- @Override
- public void close() throws IOException {
- if (count.decrementAndGet() == 0)
- delegate.close();
- }
-
- }
+@Deprecated
+public class OAuthBearerValidatorCallbackHandler extends
org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallbackHandler
{
}
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerLoginCallbackHandlerTest.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandlerTest.java
similarity index 91%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerLoginCallbackHandlerTest.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandlerTest.java
index ab823a374c0..4899e05c114 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerLoginCallbackHandlerTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandlerTest.java
@@ -15,11 +15,11 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer;
import static
org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL;
-import static
org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler.CLIENT_ID_CONFIG;
-import static
org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler.CLIENT_SECRET_CONFIG;
+import static
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.CLIENT_ID_CONFIG;
+import static
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.CLIENT_SECRET_CONFIG;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
import static org.junit.jupiter.api.Assertions.assertNull;
@@ -36,9 +36,14 @@ import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.security.auth.SaslExtensionsCallback;
-import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
-import org.apache.kafka.common.security.oauthbearer.OAuthBearerTokenCallback;
import
org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerClientInitialResponse;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenBuilder;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenRetriever;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidatorFactory;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.FileTokenRetriever;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.HttpAccessTokenRetriever;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.OAuthBearerTest;
import org.apache.kafka.common.utils.Utils;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.junit.jupiter.api.Test;
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerValidatorCallbackHandlerTest.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerValidatorCallbackHandlerTest.java
similarity index 90%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerValidatorCallbackHandlerTest.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerValidatorCallbackHandlerTest.java
index 67e2a8bc43e..30b08645a94 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerValidatorCallbackHandlerTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerValidatorCallbackHandlerTest.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer;
import static
org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_EXPECTED_AUDIENCE;
import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -28,8 +28,11 @@ import java.util.Base64;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
-import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
-import
org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenBuilder;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidatorFactory;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.OAuthBearerTest;
import org.apache.kafka.common.utils.Utils;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.junit.jupiter.api.Test;
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenBuilder.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenBuilder.java
similarity index 98%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenBuilder.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenBuilder.java
index 5387d40abf9..8512390926b 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenBuilder.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenBuilder.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ArrayNode;
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenRetrieverFactoryTest.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenRetrieverFactoryTest.java
similarity index 97%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenRetrieverFactoryTest.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenRetrieverFactoryTest.java
index 51953158e4b..741b4d2566d 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenRetrieverFactoryTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenRetrieverFactoryTest.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import static
org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL;
import static org.junit.jupiter.api.Assertions.assertEquals;
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenValidatorFactoryTest.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenValidatorFactoryTest.java
similarity index 94%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenValidatorFactoryTest.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenValidatorFactoryTest.java
index 12706740cd2..5524db165bb 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenValidatorFactoryTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenValidatorFactoryTest.java
@@ -15,11 +15,12 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.io.IOException;
import java.util.Map;
import org.apache.kafka.common.KafkaException;
+import
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler;
import org.junit.jupiter.api.Test;
public class AccessTokenValidatorFactoryTest extends OAuthBearerTest {
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenValidatorTest.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenValidatorTest.java
similarity index 98%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenValidatorTest.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenValidatorTest.java
index 8407ac3c2a2..dc1027a0c9d 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/AccessTokenValidatorTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/AccessTokenValidatorTest.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import static org.junit.jupiter.api.Assertions.assertThrows;
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/BasicOAuthBearerTokenTest.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/BasicOAuthBearerTokenTest.java
similarity index 97%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/BasicOAuthBearerTokenTest.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/BasicOAuthBearerTokenTest.java
index 658d07f358d..e1399b75fe4 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/BasicOAuthBearerTokenTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/BasicOAuthBearerTokenTest.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/ClaimValidationUtilsTest.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ClaimValidationUtilsTest.java
similarity index 98%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/ClaimValidationUtilsTest.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ClaimValidationUtilsTest.java
index 0aeb6f7819d..d9421fb0244 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/ClaimValidationUtilsTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ClaimValidationUtilsTest.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
@@ -26,6 +26,7 @@ import java.util.Arrays;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
+
import org.junit.jupiter.api.Test;
public class ClaimValidationUtilsTest extends OAuthBearerTest {
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/ConfigurationUtilsTest.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ConfigurationUtilsTest.java
similarity index 98%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/ConfigurationUtilsTest.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ConfigurationUtilsTest.java
index 783579ac6d4..b1ed7c16529 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/ConfigurationUtilsTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ConfigurationUtilsTest.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.io.File;
import java.io.IOException;
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/HttpAccessTokenRetrieverTest.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetrieverTest.java
similarity index 99%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/HttpAccessTokenRetrieverTest.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetrieverTest.java
index 66252ffd52f..a193545fd38 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/HttpAccessTokenRetrieverTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetrieverTest.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import static org.junit.jupiter.api.Assertions.assertArrayEquals;
import static org.junit.jupiter.api.Assertions.assertEquals;
@@ -36,6 +36,7 @@ import java.net.HttpURLConnection;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Random;
+
import org.apache.kafka.common.utils.Utils;
import org.junit.jupiter.api.Test;
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/JaasOptionsUtilsTest.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/JaasOptionsUtilsTest.java
similarity index 97%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/JaasOptionsUtilsTest.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/JaasOptionsUtilsTest.java
index 2b32408c428..02a89382333 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/JaasOptionsUtilsTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/JaasOptionsUtilsTest.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotNull;
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/LoginAccessTokenValidatorTest.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/LoginAccessTokenValidatorTest.java
similarity index 93%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/LoginAccessTokenValidatorTest.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/LoginAccessTokenValidatorTest.java
index 6fd23f6a463..fc2e3d2a2e8 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/LoginAccessTokenValidatorTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/LoginAccessTokenValidatorTest.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
public class LoginAccessTokenValidatorTest extends AccessTokenValidatorTest {
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerTest.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/OAuthBearerTest.java
similarity index 99%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerTest.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/OAuthBearerTest.java
index 5edb0b0dcd8..4cad8675079 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/OAuthBearerTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/OAuthBearerTest.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import static org.junit.jupiter.api.Assertions.assertTrue;
import static org.junit.jupiter.api.Assertions.fail;
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/RefreshingHttpsJwksTest.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/RefreshingHttpsJwksTest.java
similarity index 95%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/RefreshingHttpsJwksTest.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/RefreshingHttpsJwksTest.java
index 27711eac3c2..29e36115d38 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/RefreshingHttpsJwksTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/RefreshingHttpsJwksTest.java
@@ -15,10 +15,10 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
-import static
org.apache.kafka.common.security.oauthbearer.secured.RefreshingHttpsJwks.MISSING_KEY_ID_CACHE_IN_FLIGHT_MS;
-import static
org.apache.kafka.common.security.oauthbearer.secured.RefreshingHttpsJwks.MISSING_KEY_ID_MAX_KEY_LENGTH;
+import static
org.apache.kafka.common.security.oauthbearer.internals.secured.RefreshingHttpsJwks.MISSING_KEY_ID_CACHE_IN_FLIGHT_MS;
+import static
org.apache.kafka.common.security.oauthbearer.internals.secured.RefreshingHttpsJwks.MISSING_KEY_ID_MAX_KEY_LENGTH;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -29,6 +29,7 @@ import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
+
import org.apache.kafka.common.utils.MockTime;
import org.apache.kafka.common.utils.Time;
import org.jose4j.http.SimpleResponse;
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/RetryTest.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/RetryTest.java
similarity index 98%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/RetryTest.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/RetryTest.java
index d04b8c5fd73..803cf10741c 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/RetryTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/RetryTest.java
@@ -15,13 +15,14 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertThrows;
import java.io.IOException;
import java.util.concurrent.ExecutionException;
+
import org.apache.kafka.common.utils.MockTime;
import org.apache.kafka.common.utils.Time;
import org.junit.jupiter.api.Test;
diff --git
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/ValidatorAccessTokenValidatorTest.java
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ValidatorAccessTokenValidatorTest.java
similarity index 98%
rename from
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/ValidatorAccessTokenValidatorTest.java
rename to
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ValidatorAccessTokenValidatorTest.java
index f24bd590acf..21d5f51c334 100644
---
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/secured/ValidatorAccessTokenValidatorTest.java
+++
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ValidatorAccessTokenValidatorTest.java
@@ -15,7 +15,7 @@
* limitations under the License.
*/
-package org.apache.kafka.common.security.oauthbearer.secured;
+package org.apache.kafka.common.security.oauthbearer.internals.secured;
import java.util.Collections;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
diff --git a/gradle/spotbugs-exclude.xml b/gradle/spotbugs-exclude.xml
index a97831801d9..3ad4f973565 100644
--- a/gradle/spotbugs-exclude.xml
+++ b/gradle/spotbugs-exclude.xml
@@ -494,4 +494,9 @@ For a detailed description of spotbugs bug categories, see
https://spotbugs.read
<Package name="org.apache.kafka.jmh.metadata.generated"/>
</Match>
+ <Match>
+ <Package name="org.apache.kafka.common.security.oauthbearer.secured" />
+ <Bug pattern="NM_SAME_SIMPLE_NAME_AS_SUPERCLASS"/>
+ </Match>
+
</FindBugsFilter>
diff --git
a/tools/src/main/java/org/apache/kafka/tools/OAuthCompatibilityTool.java
b/tools/src/main/java/org/apache/kafka/tools/OAuthCompatibilityTool.java
index a7edcecc963..40be36fd5d7 100644
--- a/tools/src/main/java/org/apache/kafka/tools/OAuthCompatibilityTool.java
+++ b/tools/src/main/java/org/apache/kafka/tools/OAuthCompatibilityTool.java
@@ -83,12 +83,12 @@ import static
org.apache.kafka.common.config.SslConfigs.SSL_TRUSTSTORE_PASSWORD_
import static
org.apache.kafka.common.config.SslConfigs.SSL_TRUSTSTORE_PASSWORD_DOC;
import static
org.apache.kafka.common.config.SslConfigs.SSL_TRUSTSTORE_TYPE_CONFIG;
import static
org.apache.kafka.common.config.SslConfigs.SSL_TRUSTSTORE_TYPE_DOC;
-import static
org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler.CLIENT_ID_CONFIG;
-import static
org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler.CLIENT_ID_DOC;
-import static
org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler.CLIENT_SECRET_CONFIG;
-import static
org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler.CLIENT_SECRET_DOC;
-import static
org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler.SCOPE_CONFIG;
-import static
org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler.SCOPE_DOC;
+import static
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.CLIENT_ID_CONFIG;
+import static
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.CLIENT_ID_DOC;
+import static
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.CLIENT_SECRET_CONFIG;
+import static
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.CLIENT_SECRET_DOC;
+import static
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.SCOPE_CONFIG;
+import static
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.SCOPE_DOC;
import java.util.HashMap;
import java.util.List;
@@ -106,12 +106,12 @@ import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.SaslConfigs;
import org.apache.kafka.common.config.SslConfigs;
import org.apache.kafka.common.config.types.Password;
-import
org.apache.kafka.common.security.oauthbearer.secured.AccessTokenRetriever;
-import
org.apache.kafka.common.security.oauthbearer.secured.AccessTokenRetrieverFactory;
-import
org.apache.kafka.common.security.oauthbearer.secured.AccessTokenValidator;
-import
org.apache.kafka.common.security.oauthbearer.secured.AccessTokenValidatorFactory;
-import
org.apache.kafka.common.security.oauthbearer.secured.CloseableVerificationKeyResolver;
-import
org.apache.kafka.common.security.oauthbearer.secured.VerificationKeyResolverFactory;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenRetriever;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenRetrieverFactory;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidatorFactory;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver;
+import
org.apache.kafka.common.security.oauthbearer.internals.secured.VerificationKeyResolverFactory;
import org.apache.kafka.common.utils.Exit;
public class OAuthCompatibilityTool {
