(kafka) branch trunk updated: KAFKA-15878: KIP-768 - Extend support for opaque (i.e. non-JWT) tokens in SASL/OAUTHBEARER (#14818)

[manikumar]

This is an automated email from the ASF dual-hosted git repository.

manikumar pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 52a3fa07446 KAFKA-15878: KIP-768 - Extend support for opaque (i.e. 
non-JWT) tokens in SASL/OAUTHBEARER (#14818)
52a3fa07446 is described below

commit 52a3fa07446f9c108399d47dbfb1685989a5d6eb
Author: Jamie <holmes...@gmail.com>
AuthorDate: Sat Mar 2 08:13:56 2024 +1300

    KAFKA-15878: KIP-768 - Extend support for opaque (i.e. non-JWT) tokens in 
SASL/OAUTHBEARER (#14818)
    
    # Overview
    * This change pertains to [SASL/OAUTHBEARER 
](https://kafka.apache.org/documentation/#security_sasl_oauthbearer)  mechanism 
of Kafka authentication.
    * Kafka clients can use [SASL/OAUTHBEARER 
](https://kafka.apache.org/documentation/#security_sasl_oauthbearer)   
mechanism by overriding the [custom call back 
handlers](https://kafka.apache.org/documentation/#security_sasl_oauthbearer_prod)
 .
    * 
[KIP-768](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575)
 available from v3.1  further extends the mechanism with a production grade 
implementation.
    * Kafka's [SASL/OAUTHBEARER 
](https://kafka.apache.org/documentation/#security_sasl_oauthbearer)  mechanism 
currently **rejects the non-JWT (i.e. opaque) tokens**. This is because of a 
more restrictive set of characters than what 
[RFC-6750](https://datatracker.ietf.org/doc/html/rfc6750#section-2.1) 
recommends.
    * This JIRA can be considered an extension of 
[KIP-768](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575)
 to support the opaque tokens as well apart from the JWT tokens.
    
    # Solution
    * Have updated the regex in the the offending class to be compliant with 
the [RFC-6750](https://datatracker.ietf.org/doc/html/rfc6750#section-2.1)
    * Have provided a supporting test case that includes the possible character 
set defined in 
[RFC-6750](https://datatracker.ietf.org/doc/html/rfc6750#section-2.1)
    
    ---------
    
    Co-authored-by: Anuj Sharma <philomath.a...@gmail.com>
    Co-authored-by: Jamie Holmes <jamie.hol...@tesco.com>
    Co-authored-by: Christopher Webb <31657038+cweb...@users.noreply.github.com>
    Reviewers: Manikumar Reddy <manikumar.re...@gmail.com>, Kirk True 
<kt...@confluent.io>
---
 .../internals/OAuthBearerClientInitialResponse.java          |  2 +-
 .../internals/OAuthBearerClientInitialResponseTest.java      | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git 
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerClientInitialResponse.java
 
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerClientInitialResponse.java
index 73bfcd15c12..3b340131cf8 100644
--- 
a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerClientInitialResponse.java
+++ 
b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerClientInitialResponse.java
@@ -34,7 +34,7 @@ public class OAuthBearerClientInitialResponse {
     private static final String VALUE = "[\\x21-\\x7E \t\r\n]+";
 
     private static final String KVPAIRS = String.format("(%s=%s%s)*", KEY, 
VALUE, SEPARATOR);
-    private static final Pattern AUTH_PATTERN = 
Pattern.compile("(?<scheme>[\\w]+)[ ]+(?<token>[-_\\.a-zA-Z0-9]+)");
+    private static final Pattern AUTH_PATTERN = 
Pattern.compile("(?<scheme>[\\w]+)[ ]+(?<token>[-_~+/\\.a-zA-Z0-9]+([=]*))");
     private static final Pattern CLIENT_INITIAL_RESPONSE_PATTERN = 
Pattern.compile(
             String.format("n,(a=(?<authzid>%s))?,%s(?<kvpairs>%s)%s", 
SASLNAME, SEPARATOR, KVPAIRS, SEPARATOR));
     public static final String AUTH_KEY = "auth";
diff --git 
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerClientInitialResponseTest.java
 
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerClientInitialResponseTest.java
index 3b3c90bf1d2..fc44297a2f3 100644
--- 
a/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerClientInitialResponseTest.java
+++ 
b/clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/OAuthBearerClientInitialResponseTest.java
@@ -102,6 +102,18 @@ public class OAuthBearerClientInitialResponseTest {
         assertEquals("143", response.extensions().map().get("port"));
     }
 
+    // RFC 6750 token format  1*( ALPHA / DIGIT /"-" / "." / "_" / "~" / "+" / 
"/" ) *"="
+    @Test
+    public void testCharSupportForRfc6750Token() throws Exception {
+        String message = 
"n,a=u...@example.com,\u0001host=server.example.com\u0001port=143\u0001" +
+                "auth=Bearer 
vF-9.df_t4qm~Tc2Nvb3RlckBhbHR+hdmlzdGEuY29/tCg==\u0001\u0001";
+        OAuthBearerClientInitialResponse response = new 
OAuthBearerClientInitialResponse(message.getBytes(StandardCharsets.UTF_8));
+        assertEquals("vF-9.df_t4qm~Tc2Nvb3RlckBhbHR+hdmlzdGEuY29/tCg==", 
response.tokenValue());
+        assertEquals("u...@example.com", response.authorizationId());
+        assertEquals("server.example.com", 
response.extensions().map().get("host"));
+        assertEquals("143", response.extensions().map().get("port"));
+    }
+
     @Test
     public void testNoExtensionsFromByteArray() throws Exception {
         String message = "n,a=u...@example.com,\u0001" +