Romain Quinio created KAFKA-20101:
-------------------------------------
Summary: Support org.apache.kafka.sasl.oauthbearer.allowed.urls=*
Key: KAFKA-20101
URL: https://issues.apache.org/jira/browse/KAFKA-20101
Project: Kafka
Issue Type: Improvement
Components: clients
Affects Versions: 4.1.1
Reporter: Romain Quinio
With Kafka 4.0.0+ and [https://github.com/apache/kafka/pull/18519,] using
{{sasl.mechanism=OAUTHBEARER }}requires to whitelist the value of
{{sasl.oauthbearer.token.endpoint.url}} by setting the Java system property
{{-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls}} at JVM startup.
[https://docs.confluent.io/platform/current/security/authentication/sasl/oauthbearer/configure-clients.html]
mentions {{org.apache.kafka.sasl.oauthbearer.allowed.urls=*}}
{code:java}
This property specifies a comma-separated list of allowed IdP JWKS (JSON Web
Key Set) and token endpoint URLs. Use * (asterisk) as the value to allow any
endpoint.
org.apache.kafka.sasl.oauthbearer.allowed.urls=*
You should consult the specific Kafka client and IdP documentation for the
exact interpretation and security implications of such a broad setting. {code}
{{{}{}}}But this configuration doesn't appear to work with kafka-client /
kafka-streams 4.1.1.
Debugging the code, the logic is to do an exact match between both strings
(https://github.com/apache/kafka/blame/74ebbae8ece464573c1288e8f233ef804074fe7b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ConfigurationUtils.java#L407).
It would help to have such mechanism, to avoid duplicating the endpoint URL as
a system property, which is error-prone. In container-based environments, the
Kafka client configuration is immutable, and the assumptions of CVE-2025-27817
that "Kafka Clients configurations can be specified by an untrusted party" are
not applicable.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
