Re: [PR] KAFKA-18573: Add support for OAuth jwt-bearer grant type [kafka]

Fri, 30 May 2025 13:50:58 -0700 


lianetm commented on code in PR #19754:
URL: https://github.com/apache/kafka/pull/19754#discussion_r2116573237


##########
clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java:
##########
@@ -129,6 +130,186 @@ public class SaslConfigs {
             + " authentication provider."
             + LOGIN_EXPONENTIAL_BACKOFF_NOTE;
 
+    public static final String SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS = 
"sasl.oauthbearer.jwt.retriever.class";
+    public static final String DEFAULT_SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS = 
"org.apache.kafka.common.security.oauthbearer.DefaultJwtRetriever";
+    public static final String SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS_DOC = 
"<p>The fully-qualified class name of a <code>JwtRetriever</code> 
implementation used to"
+        + " request tokens from the identity provider.</p>"
+        + "<p>The default configuration value represents a class that 
maintains backward compatibility with previous versions of"
+        + " Apache Kafka. The default implementation uses the configuration to 
determine which concrete implementation to create."
+        + "<p>Other implementations that are provided include:</p>"
+        + "<ul>"
+        + 
"<li><code>org.apache.kafka.common.security.oauthbearer.ClientCredentialsJwtRetriever</code></li>"
+        + 
"<li><code>org.apache.kafka.common.security.oauthbearer.DefaultJwtRetriever</code></li>"
+        + 
"<li><code>org.apache.kafka.common.security.oauthbearer.FileJwtRetriever</code></li>"
+        + 
"<li><code>org.apache.kafka.common.security.oauthbearer.JwtBearerJwtRetriever</code></li>"
+        + "</ul>";
+
+    public static final String SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS = 
"sasl.oauthbearer.jwt.validator.class";
+    public static final String 
DEFAULT_BROKER_SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS = 
"org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator";
+    public static final String 
DEFAULT_CLIENT_SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS = 
"org.apache.kafka.common.security.oauthbearer.ClientJwtValidator";
+    public static final String SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS_DOC = 
"<p>The fully-qualified class name of a <code>JwtValidator</code> 
implementation used to"
+        + " validate the JWT from the identity provider.</p>"
+        + "<p>The default configuration value represents a class that 
maintains backward compatibility with previous versions of"
+        + " Apache Kafka. The default implementation uses the configuration to 
determine which concrete implementation to create."
+        + "<p>Other implementations that are provided include:</p>"
+        + "<ul>"
+        + 
"<li><code>org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator</code></li>"
+        + 
"<li><code>org.apache.kafka.common.security.oauthbearer.ClientJwtValidator</code></li>"
+        + 
"<li><code>org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator</code></li>"
+        + "</ul>";
+
+    public static final String SASL_OAUTHBEARER_GRANT_TYPE = 
"sasl.oauthbearer.grant.type";
+    public static final String DEFAULT_SASL_OAUTHBEARER_GRANT_TYPE = 
"client_credentials";
+    public static final String SASL_OAUTHBEARER_GRANT_TYPE_DOC = "The OAuth 
grant type to use when communicating with the identity provider. On the whole, 
the"
+        + " OAuth layer does not rely on this value and expects it to be used 
and/or verified for correctness by the <code>JwtRetriever</code> 
implementation."
+        + " The default value of <code>client_credentials</code> maintains 
backward compatibility. The built-in grant types are:"
+        + "<ul>"
+        + "<li><code>client_credentials</code></li>"
+        + "<li><code>urn:ietf:params:oauth:grant-type:jwt-bearer</code></li>"
+        + "</ul>"
+        + "<p>The OAuth code in Apache Kafka does not limit the values that 
are used. A user can write a custom <code>JwtRetriever</code> implementation 
that uses"
+        + " a completely different grant type, if desired.</p>";
+
+    public static final String SASL_OAUTHBEARER_SCOPE = 
"sasl.oauthbearer.scope";
+    public static final String SASL_OAUTHBEARER_SCOPE_DOC = "<p>This is the 
level of access a client application is granted to a resource or API which is"
+        + " included in the token request. If provided, it should match one or 
more scopes configured in the identity provider.</p>"
+        + "<p>"
+        + "The scope was previously stored as part of the 
<code>sasl.jaas.config</code> configuration with the key <code>scope</code>."
+        + " For backward compatibility, the <code>scope</code> JAAS option can 
still be used, but it is deprecated and will be removed in a future version."

Review Comment:
   I see, interesting case then. Should we then add a note on the docs of the 
`sasl.jaas.config` config itself? (so users know that the oauth options of it 
are deprecated and they should use the `sasl.oauthbearer` properties instead?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to