I see this issue too when I run OAuth2 on kafka client 4.1.1. I packaged jose4j and then it worked.
Interestingly, when I use kafka client 3.9.1 or kafka client 3.9.0, I do not see this exception at all. Works perfectly fine even if I do not package jose4j jar file. On Fri, Feb 13, 2026 at 5:27 PM Christian Semaan (Jira) <[email protected]> wrote: > Christian Semaan created KAFKA-20184: > ---------------------------------------- > > Summary: jose4j marked as compileOnly in clients module > causes ClassNotFoundException at runtime for OAuth authentication > Key: KAFKA-20184 > URL: https://issues.apache.org/jira/browse/KAFKA-20184 > Project: Kafka > Issue Type: Bug > Components: clients > Affects Versions: 3.1.0 > Reporter: Christian Semaan > > > The `jose4j` library is currently marked as `compileOnly` in the > `:clients` module dependency configuration > https://github.com/apache/kafka/blob/4.1/build.gradle#L1819, with a > comment stating "only used by broker". However, this is incorrect and > causes runtime issues. > > OAuth implementation classes are in the clients module, not just broker: * > org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver > (interface extending jose4j's VerificationKeyResolver) > * > org.apache.kafka.common.security.oauthbearer.internals.secured.JwksFileVerificationKeyResolver > * > org.apache.kafka.common.security.oauthbearer.internals.secured.RefreshingHttpsJwksVerificationKeyResolver > > Impact: > Runtime Failure: When Kafka clients are used with SASL/OAUTHBEARER > authentication, the application will encounter `ClassNotFoundException` or > `NoClassDefFoundError` for jose4j classes at runtime unless users manually > add jose4j as a dependency to their applications. > > > > > -- > This message was sent by Atlassian Jira > (v8.20.10#820010) >
