Re: [PR] KAFKA-18573: Add support for OAuth jwt-bearer grant type [kafka]

Thu, 29 May 2025 16:13:19 -0700 


kirktrue commented on code in PR #19754:
URL: https://github.com/apache/kafka/pull/19754#discussion_r2114877084


##########
clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java:
##########
@@ -129,6 +130,186 @@ public class SaslConfigs {
             + " authentication provider."
             + LOGIN_EXPONENTIAL_BACKOFF_NOTE;
 
+    public static final String SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS = 
"sasl.oauthbearer.jwt.retriever.class";
+    public static final String DEFAULT_SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS = 
"org.apache.kafka.common.security.oauthbearer.DefaultJwtRetriever";
+    public static final String SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS_DOC = 
"<p>The fully-qualified class name of a <code>JwtRetriever</code> 
implementation used to"
+        + " request tokens from the identity provider.</p>"
+        + "<p>The default configuration value represents a class that 
maintains backward compatibility with previous versions of"
+        + " Apache Kafka. The default implementation uses the configuration to 
determine which concrete implementation to create."
+        + "<p>Other implementations that are provided include:</p>"
+        + "<ul>"
+        + 
"<li><code>org.apache.kafka.common.security.oauthbearer.ClientCredentialsJwtRetriever</code></li>"
+        + 
"<li><code>org.apache.kafka.common.security.oauthbearer.DefaultJwtRetriever</code></li>"
+        + 
"<li><code>org.apache.kafka.common.security.oauthbearer.FileJwtRetriever</code></li>"
+        + 
"<li><code>org.apache.kafka.common.security.oauthbearer.JwtBearerJwtRetriever</code></li>"
+        + "</ul>";
+
+    public static final String SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS = 
"sasl.oauthbearer.jwt.validator.class";
+    public static final String 
DEFAULT_BROKER_SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS = 
"org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator";
+    public static final String 
DEFAULT_CLIENT_SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS = 
"org.apache.kafka.common.security.oauthbearer.ClientJwtValidator";

Review Comment:
   Merged into one configuration that uses `DefaultJwtValidator`.



##########
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/BrokerJwtValidator.java:
##########
@@ -50,9 +64,11 @@
  *         Basic structural validation of the <code>b64token</code> value as 
defined in
  *         <a href="https://tools.ietf.org/html/rfc6750#section-2.1";>RFC 6750 
Section 2.1</a>
  *     </li>
- *     <li>Basic conversion of the token into an in-memory data structure</li>
  *     <li>
- *         Presence of scope, <code>exp</code>, subject, <code>iss</code>, and
+ *         Basic conversion of the token into an in-memory data structure

Review Comment:
   Fixed.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to