Re: [PR] KAFKA-18573: Add support for OAuth jwt-bearer grant type [kafka]

via GitHub Thu, 29 May 2025 14:22:59 -0700


kirktrue commented on code in PR #19754:
URL: https://github.com/apache/kafka/pull/19754#discussion_r2114770695



##########
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ConfigurationUtils.java:
##########
@@ -239,14 +275,46 @@ public <T> T get(String name) {
 
     // visible for testing
     // make sure the url is in the 
"org.apache.kafka.sasl.oauthbearer.allowed.urls" system property
-    void throwIfURLIsNotAllowed(String value) {
-        Set<String> allowedUrls = Arrays.stream(
-                        
System.getProperty(ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG, 
ALLOWED_SASL_OAUTHBEARER_URLS_DEFAULT).split(","))
-                .map(String::trim)
-                .collect(Collectors.toSet());
-        if (!allowedUrls.contains(value)) {
-            throw new ConfigException(value + " is not allowed. Update system 
property '"
-                    + ALLOWED_SASL_OAUTHBEARER_URLS_CONFIG + "' to allow " + 
value);
+    void throwIfURLIsNotAllowed(String configName, String configValue) {
+        throwIfResourceIsNotAllowed(
+            "file",

Review Comment:
   🤦‍♂️ Fixed.



##########
clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java:
##########
@@ -215,6 +396,23 @@ public static void addClientSaslSupport(ConfigDef config) {
                 .define(SaslConfigs.SASL_LOGIN_READ_TIMEOUT_MS, 
ConfigDef.Type.INT, null, ConfigDef.Importance.LOW, 
SASL_LOGIN_READ_TIMEOUT_MS_DOC)
                 .define(SaslConfigs.SASL_LOGIN_RETRY_BACKOFF_MAX_MS, 
ConfigDef.Type.LONG, DEFAULT_SASL_LOGIN_RETRY_BACKOFF_MAX_MS, 
ConfigDef.Importance.LOW, SASL_LOGIN_RETRY_BACKOFF_MAX_MS_DOC)
                 .define(SaslConfigs.SASL_LOGIN_RETRY_BACKOFF_MS, 
ConfigDef.Type.LONG, DEFAULT_SASL_LOGIN_RETRY_BACKOFF_MS, 
ConfigDef.Importance.LOW, SASL_LOGIN_RETRY_BACKOFF_MS_DOC)
+                .define(SaslConfigs.SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS, 
ConfigDef.Type.CLASS, DEFAULT_SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS, 
ConfigDef.Importance.MEDIUM, SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS_DOC)
+                .define(SaslConfigs.SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS, 
ConfigDef.Type.CLASS, DEFAULT_CLIENT_SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS, 
ConfigDef.Importance.MEDIUM, SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS_DOC)
+                .define(SaslConfigs.SASL_OAUTHBEARER_GRANT_TYPE, 
ConfigDef.Type.STRING, DEFAULT_SASL_OAUTHBEARER_GRANT_TYPE, 
ConfigDef.Importance.MEDIUM, SASL_OAUTHBEARER_GRANT_TYPE_DOC)
+                .define(SaslConfigs.SASL_OAUTHBEARER_SCOPE, 
ConfigDef.Type.STRING, null, ConfigDef.Importance.MEDIUM, 
SASL_OAUTHBEARER_SCOPE_DOC)
+                
.define(SaslConfigs.SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_ID, 
ConfigDef.Type.STRING, null, ConfigDef.Importance.MEDIUM, 
SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_ID_DOC)
+                
.define(SaslConfigs.SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_SECRET, 
ConfigDef.Type.PASSWORD, null, ConfigDef.Importance.MEDIUM, 
SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_SECRET_DOC)
+                .define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_ALGORITHM, 
ConfigDef.Type.STRING, DEFAULT_SASL_OAUTHBEARER_ASSERTION_ALGORITHM, 
CaseInsensitiveValidString.in("ES256", "RS256"), ConfigDef.Importance.MEDIUM, 
SASL_OAUTHBEARER_ASSERTION_ALGORITHM_DOC)
+                .define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_AUD, 
ConfigDef.Type.STRING, null, ConfigDef.Importance.MEDIUM, 
SASL_OAUTHBEARER_ASSERTION_CLAIM_AUD_DOC)
+                
.define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_EXP_SECONDS, 
ConfigDef.Type.INT, DEFAULT_SASL_OAUTHBEARER_ASSERTION_CLAIM_EXP_SECONDS, 
Range.between(0, 86400), ConfigDef.Importance.LOW, 
SASL_OAUTHBEARER_ASSERTION_CLAIM_EXP_SECONDS_DOC)
+                .define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_ISS, 
ConfigDef.Type.STRING, null, ConfigDef.Importance.MEDIUM, 
SASL_OAUTHBEARER_ASSERTION_CLAIM_ISS_DOC)
+                
.define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_JTI_INCLUDE, 
ConfigDef.Type.BOOLEAN, DEFAULT_SASL_OAUTHBEARER_ASSERTION_CLAIM_JTI_INCLUDE, 
ConfigDef.Importance.MEDIUM, SASL_OAUTHBEARER_ASSERTION_CLAIM_JTI_INCLUDE_DOC)
+                
.define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_NBF_SECONDS, 
ConfigDef.Type.INT, DEFAULT_SASL_OAUTHBEARER_ASSERTION_CLAIM_NBF_SECONDS, 
Range.between(0, 3600), ConfigDef.Importance.LOW, 
SASL_OAUTHBEARER_ASSERTION_CLAIM_NBF_SECONDS_DOC)
+                .define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_SUB, 
ConfigDef.Type.STRING, null, ConfigDef.Importance.MEDIUM, 
SASL_OAUTHBEARER_ASSERTION_CLAIM_SUB_DOC)
+                .define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_FILE, 
ConfigDef.Type.STRING, null, ConfigDef.Importance.MEDIUM, 
SASL_OAUTHBEARER_ASSERTION_FILE_DOC)
+                
.define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_FILE, 
ConfigDef.Type.STRING, null, ConfigDef.Importance.MEDIUM, 
SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_FILE_DOC)
+                
.define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_PASSPHRASE, 
ConfigDef.Type.STRING, null, ConfigDef.Importance.MEDIUM, 
SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_PASSPHRASE_DOC)

Review Comment:
   Done.



##########
clients/src/main/java/org/apache/kafka/common/config/internals/BrokerSecurityConfigs.java:
##########
@@ -190,6 +194,23 @@ public class BrokerSecurityConfigs {
             .define(SaslConfigs.SASL_LOGIN_READ_TIMEOUT_MS, INT, null, LOW, 
SaslConfigs.SASL_LOGIN_READ_TIMEOUT_MS_DOC)
             .define(SaslConfigs.SASL_LOGIN_RETRY_BACKOFF_MAX_MS, LONG, 
SaslConfigs.DEFAULT_SASL_LOGIN_RETRY_BACKOFF_MAX_MS, LOW, 
SaslConfigs.SASL_LOGIN_RETRY_BACKOFF_MAX_MS_DOC)
             .define(SaslConfigs.SASL_LOGIN_RETRY_BACKOFF_MS, LONG, 
SaslConfigs.DEFAULT_SASL_LOGIN_RETRY_BACKOFF_MS, LOW, 
SaslConfigs.SASL_LOGIN_RETRY_BACKOFF_MS_DOC)
+            .define(SaslConfigs.SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS, CLASS, 
SaslConfigs.DEFAULT_SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS, MEDIUM, 
SaslConfigs.SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS_DOC)
+            .define(SaslConfigs.SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS, CLASS, 
SaslConfigs.DEFAULT_BROKER_SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS, MEDIUM, 
SaslConfigs.SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS_DOC)
+            .define(SaslConfigs.SASL_OAUTHBEARER_GRANT_TYPE, STRING, 
SaslConfigs.DEFAULT_SASL_OAUTHBEARER_GRANT_TYPE, MEDIUM, 
SaslConfigs.SASL_OAUTHBEARER_GRANT_TYPE_DOC)
+            .define(SaslConfigs.SASL_OAUTHBEARER_SCOPE, STRING, null, MEDIUM, 
SaslConfigs.SASL_OAUTHBEARER_SCOPE_DOC)
+            .define(SaslConfigs.SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_ID, 
STRING, null, MEDIUM, 
SaslConfigs.SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_ID_DOC)
+            
.define(SaslConfigs.SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_SECRET, 
PASSWORD, null, MEDIUM, 
SaslConfigs.SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_SECRET_DOC)
+            .define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_ALGORITHM, STRING, 
SaslConfigs.DEFAULT_SASL_OAUTHBEARER_ASSERTION_ALGORITHM, 
ConfigDef.CaseInsensitiveValidString.in("ES256", "RS256"), MEDIUM, 
SaslConfigs.SASL_OAUTHBEARER_ASSERTION_ALGORITHM_DOC)
+            .define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_AUD, STRING, 
null, MEDIUM, SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_AUD_DOC)
+            .define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_EXP_SECONDS, 
INT, SaslConfigs.DEFAULT_SASL_OAUTHBEARER_ASSERTION_CLAIM_EXP_SECONDS, 
ConfigDef.Range.between(0, 86400), LOW, 
SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_EXP_SECONDS_DOC)
+            .define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_ISS, STRING, 
null, MEDIUM, SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_ISS_DOC)
+            .define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_JTI_INCLUDE, 
BOOLEAN, SaslConfigs.DEFAULT_SASL_OAUTHBEARER_ASSERTION_CLAIM_JTI_INCLUDE, 
MEDIUM, SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_JTI_INCLUDE_DOC)
+            .define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_NBF_SECONDS, 
INT, SaslConfigs.DEFAULT_SASL_OAUTHBEARER_ASSERTION_CLAIM_NBF_SECONDS, 
ConfigDef.Range.between(0, 3600), LOW, 
SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_NBF_SECONDS_DOC)
+            .define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_SUB, STRING, 
null, MEDIUM, SaslConfigs.SASL_OAUTHBEARER_ASSERTION_CLAIM_SUB_DOC)
+            .define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_FILE, STRING, null, 
MEDIUM, SaslConfigs.SASL_OAUTHBEARER_ASSERTION_FILE_DOC)
+            .define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_FILE, 
STRING, null, MEDIUM, 
SaslConfigs.SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_FILE_DOC)
+            
.define(SaslConfigs.SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_PASSPHRASE, STRING, 
null, MEDIUM, SaslConfigs.SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_PASSPHRASE_DOC)

Review Comment:
   Done.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] KAFKA-18573: Add support for OAuth jwt-bearer grant type [kafka]

Reply via email to