Keith Wall created KAFKA-19790:
----------------------------------
Summary: Parsing of the scope claim does not comply with RFC-8693
Key: KAFKA-19790
URL: https://issues.apache.org/jira/browse/KAFKA-19790
Project: Kafka
Issue Type: Bug
Reporter: Keith Wall
I notice that the code in Kafka for handling of the scopes claim does not
comply with the RFC.
[https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim
|https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim]says:
{quote}The value of the {{scope}} claim is a JSON string containing a
space-separated list of scopes associated with the token, in the format
described in [Section 3.3|https://www.rfc-editor.org/rfc/rfc6749#section-3.3]
of [[RFC6749|https://datatracker.ietf.org/doc/html/rfc6749]]
{quote}
However the code in Kafka that parses the JWT payload does not permit a space
separated list. It would treat a value like "email phone address" as a single
scope "email phone address" rather than a three separate scopes of "email",
"phone", "address".
The affected code is here:
[https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/BrokerJwtValidator.java#L166]
[https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/unsecured/OAuthBearerUnsecuredJws.java#L343]
Impact:
Looking at the production code in Apache Kafka itself, I think the defect
currently harmless. As far as I can tell, there's no production code that
makes use of
org.apache.kafka.common.security.oauthbearer.internals.secured.BasicOAuthBearerToken#scope.
I think there would be a potential for impact for a user writing their own
OAuthBearerValidatorCallbackHandler that uses Kafka's BrokerJwtValidator and
made use of the scope value.
As far as I can tell, the other impact of the defect would come to a user using
their own
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
