Re: [PR] NIFI-14782 Extended Kafka3ConnectionService OAuth authentication with… [nifi]

Fri, 28 Nov 2025 04:10:36 -0800 


pvillard31 commented on code in PR #10567:
URL: https://github.com/apache/nifi/pull/10567#discussion_r2571462036


##########
nifi-extension-bundles/nifi-kafka-bundle/nifi-kafka-service-shared/src/main/java/org/apache/nifi/kafka/service/security/OAuthBearerLoginCallbackHandler.java:
##########
@@ -72,20 +82,32 @@ public void configure(final Map<String, ?> configs, final 
String saslMechanism,
         this.accessTokenProvider = accessTokenProvider;
         this.accessTokenValidator = new ClientJwtValidator();
         this.accessTokenValidator.configure(configs, saslMechanism, List.of());
+
+        this.saslExtensions = options.entrySet().stream()
+                .filter(entry -> isSaslExtensionProperty(entry.getKey()))
+                .collect(Collectors.collectingAndThen(
+                        Collectors.toMap(entry -> 
removeSaslExtensionPropertyPrefix(entry.getKey()), entry -> 
entry.getValue().toString()),
+                        Collections::unmodifiableMap));
     }
 
     @Override
-    public void handle(final Callback[] callbacks) {
+    public void handle(final Callback[] callbacks) throws 
UnsupportedCallbackException {
         for (final Callback callback : callbacks) {
             if (callback instanceof OAuthBearerTokenCallback) {
                 handleTokenCallback((OAuthBearerTokenCallback) callback);
+            } else if (callback instanceof SaslExtensionsCallback) {
+                handleExtensionsCallback((SaslExtensionsCallback) callback);
+            } else {
+                throw new UnsupportedCallbackException(callback);
             }
         }
     }

Review Comment:
   Could this be a breaking change? The method now throws 
`UnsupportedCallbackException` for every callback type other than 
`OAuthBearerTokenCallback` and `SaslExtensionsCallback`. Kafka’s 
`OAuthBearerLoginModule` routinely delivers an 
`OAuthBearerExtensionsValidatorCallback` immediately after the token callback 
(even when the client does not register a custom validator) to allow handlers 
to validate SASL extensions. Prior to this change the handler simply ignored 
unknown callbacks, so the login completed successfully.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to