Christian Semaan created KAFKA-20184:
----------------------------------------
Summary: jose4j marked as compileOnly in clients module causes
ClassNotFoundException at runtime for OAuth authentication
Key: KAFKA-20184
URL: https://issues.apache.org/jira/browse/KAFKA-20184
Project: Kafka
Issue Type: Bug
Components: clients
Affects Versions: 3.1.0
Reporter: Christian Semaan
The `jose4j` library is currently marked as `compileOnly` in the `:clients`
module dependency configuration
https://github.com/apache/kafka/blob/4.1/build.gradle#L1819, with a comment
stating "only used by broker". However, this is incorrect and causes runtime
issues.
OAuth implementation classes are in the clients module, not just broker: *
org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver
(interface extending jose4j's VerificationKeyResolver)
*
org.apache.kafka.common.security.oauthbearer.internals.secured.JwksFileVerificationKeyResolver
*
org.apache.kafka.common.security.oauthbearer.internals.secured.RefreshingHttpsJwksVerificationKeyResolver
Impact:
Runtime Failure: When Kafka clients are used with SASL/OAUTHBEARER
authentication, the application will encounter `ClassNotFoundException` or
`NoClassDefFoundError` for jose4j classes at runtime unless users manually add
jose4j as a dependency to their applications.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
