Daniel Fonai created KAFKA-13730:
------------------------------------
Summary: OAuth access token validation fails if it does not
contain the "sub" claim
Key: KAFKA-13730
URL: https://issues.apache.org/jira/browse/KAFKA-13730
Project: Kafka
Issue Type: Bug
Components: clients
Affects Versions: 3.1.0
Reporter: Daniel Fonai
Client authentication fails, when configured to use OAuth and the JWT access
token does {*}not contain the sub claim{*}. This issue was discovered while
testing Kafka integration with Ping Identity OAuth server. According to Ping's
[documentation|https://apidocs.pingidentity.com/pingone/devguide/v1/api/#access-tokens-and-id-tokens]:
{quote}sub – A string that specifies the identifier for the authenticated user.
This claim is not present for client_credentials tokens.
{quote}
In this case Kafka broker rejects the token regardless of the
[sasl.oauthbearer.sub.claim.name|https://kafka.apache.org/documentation/#brokerconfigs_sasl.oauthbearer.sub.claim.name]
property value.
----
Steps to reproduce:
1. Client configuration:
{noformat}
security.protocol=SASL_PLAINTEXT
sasl.mechanism=OAUTHBEARER
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
sasl.oauthbearer.token.endpoint.url=https://oauth.server.fqdn/token/endpoint
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule
required\
clientId="kafka-client"\
clientSecret="kafka-client-secret";
sasl.oauthbearer.sub.claim.name=client_id # claim name for the principal to be
extracted from, needed for client side validation too
{noformat}
2. Broker configuration:
{noformat}
sasl.enabled.mechanisms=...,OAUTHBEARER
listener.name.sasl_plaintext.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule
required;
listener.name.sasl_plaintext.oauthbearer.sasl.server.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler
sasl.oauthbearer.jwks.endpoint.url=https://oauth.server.fqdn/jwks/endpoint
sasl.oauthbearer.expected.audience=oauth-audience # based on OAuth server setup
sasl.oauthbearer.sub.claim.name=client_id # claim name for the principal to be
extracted from
{noformat}
3. Try to perform some client operation:
{noformat}
kafka-topics --bootstrap-server `hostname`:9092 --list --command-config
oauth-client.properties
{noformat}
Result:
Client authentication fails due to invalid access token.
- client log:
{noformat}
[2022-03-11 16:21:20,461] ERROR [AdminClient clientId=adminclient-1] Connection
to node -1 (localhost/127.0.0.1:9092) failed authentication due to:
{"status":"invalid_token"} (org.apache.kafka.clients.NetworkClient)
[2022-03-11 16:21:20,463] WARN [AdminClient clientId=adminclient-1] Metadata
update failed due to authentication error
(org.apache.kafka.clients.admin.internals.AdminMetadataManager)
org.apache.kafka.common.errors.SaslAuthenticationException:
{"status":"invalid_token"}
Error while executing topic command : {"status":"invalid_token"}
[2022-03-11 16:21:20,468] ERROR
org.apache.kafka.common.errors.SaslAuthenticationException:
{"status":"invalid_token"}
(kafka.admin.TopicCommand$)
{noformat}
- broker log:
{noformat}
[2022-03-11 16:21:20,150] WARN Could not validate the access token: JWT
(claims->{"client_id":"...","iss":"...","iat":1647012079,"exp":1647015679,"aud":[...],"env":"...","org":"..."})
rejected due to invalid claims or other invalid content. Additional details:
[[14] No Subject (sub) claim is present.]
(org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler)
org.apache.kafka.common.security.oauthbearer.secured.ValidateException: Could
not validate the access token: JWT
(claims->{"client_id":"...","iss":"...","iat":1647012079,"exp":1647015679,"aud":[...],"env":"...","org":"..."})
rejected due to invalid claims or other invalid content. Additional details:
[[14] No Subject (sub) claim is present.]
at
org.apache.kafka.common.security.oauthbearer.secured.ValidatorAccessTokenValidator.validate(ValidatorAccessTokenValidator.java:159)
at
org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler.handleValidatorCallback(OAuthBearerValidatorCallbackHandler.java:184)
at
org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler.handle(OAuthBearerValidatorCallbackHandler.java:169)
at
org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServer.process(OAuthBearerSaslServer.java:156)
at
org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServer.evaluateResponse(OAuthBearerSaslServer.java:101)
at
org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:451)
at
org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:280)
at
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:181)
at
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543)
at org.apache.kafka.common.network.Selector.poll(Selector.java:481)
at kafka.network.Processor.poll(SocketServer.scala:989)
at kafka.network.Processor.run(SocketServer.scala:892)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.jose4j.jwt.consumer.InvalidJwtException: JWT
(claims->{"client_id":"...","iss":"...","iat":1647012079,"exp":1647015679,"aud":[...],"env":"...","org":"..."})
rejected due to invalid claims or other invalid content. Additional details:
[[14] No Subject (sub) claim is present.]
at org.jose4j.jwt.consumer.JwtConsumer.validate(JwtConsumer.java:466)
at
org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:311)
at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:433)
at
org.apache.kafka.common.security.oauthbearer.secured.ValidatorAccessTokenValidator.validate(ValidatorAccessTokenValidator.java:157)
... 12 more
[2022-03-11 16:21:20,154] INFO [SocketServer listenerType=ZK_BROKER, nodeId=0]
Failed authentication with /127.0.0.1 ({"status":"invalid_token"})
(org.apache.kafka.common.network.Selector)
{noformat}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
