[jira] [Commented] (KAFKA-19790) Parsing of the scope claim does not comply with RFC-8693

Sat, 18 Oct 2025 00:38:55 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-19790?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18030049#comment-18030049
 ] 

Keith Wall commented on KAFKA-19790:
------------------------------------

This issue is not blocking me (I noticed it in passing), but I'm happy to put 
up a PR if there is interest in fixing it.

> Parsing of the scope claim does not comply with RFC-8693
> --------------------------------------------------------
>
>                 Key: KAFKA-19790
>                 URL: https://issues.apache.org/jira/browse/KAFKA-19790
>             Project: Kafka
>          Issue Type: Bug
>            Reporter: Keith Wall
>            Priority: Minor
>
> I notice that the code in Kafka for handling of the scopes claim does not 
> comply with the RFC.
> [https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim 
> |https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim]says:
> {quote}The value of the {{scope}} claim is a JSON string containing a 
> space-separated list of scopes associated with the token, in the format 
> described in [Section 3.3|https://www.rfc-editor.org/rfc/rfc6749#section-3.3] 
> of [[RFC6749|https://datatracker.ietf.org/doc/html/rfc6749]]
> {quote}
>  
> However the code in Kafka that parses the JWT payload does not permit a space 
> separated list.  It would treat a value like "email phone address" as a 
> single scope "email phone address" rather than a three separate scopes of 
> "email", "phone", "address".
> The affected code is here:
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/BrokerJwtValidator.java#L166]
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/unsecured/OAuthBearerUnsecuredJws.java#L343]
> Impact:
> Looking at the production code in Apache Kafka itself, I think the defect 
> currently harmless.  As far as I can tell, there's no production code that 
> makes use of  
> org.apache.kafka.common.security.oauthbearer.internals.secured.BasicOAuthBearerToken#scope.
> I think there would be a potential for impact for a user writing their own 
> OAuthBearerValidatorCallbackHandler that uses Kafka's BrokerJwtValidator and 
> made use of the scope value.
> Failing unit test:
> [https://github.com/apache/kafka/compare/trunk...k-wall:kafka:KAFKA-19790]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to