prabhashkr opened a new pull request, #21483: URL: https://github.com/apache/kafka/pull/21483
## What Implements [KIP-1258](https://cwiki.apache.org/confluence/display/KAFKA/KIP-1258): Add support for OAuth 2.0 client assertion authentication (RFC 7523 §2.2) as a more secure alternative to client secrets. ## Key Changes ### Core Implementation - **New**: `ClientAssertionRequestFormatter` - Formats HTTP requests with client assertion parameters - **Enhanced**: `HttpRequestFormatterFactory` - Three-tier fallback mechanism with logging - **Renamed**: `ClientCredentialsRequestFormatter` → `ClientSecretRequestFormatter` (internal class) ### Three-Tier Fallback 1. File-based assertion (`sasl.oauthbearer.assertion.file`) 2. Locally-generated assertion (`sasl.oauthbearer.assertion.claim.iss` + private key) 3. Client secret (backward compatible fallback) ### Infrastructure - Reuses KIP-1139 assertion creation/signing/caching - No new configuration properties required - Supports RS256 and ES256 algorithms - Automatic private key file reloading ## Testing - ✅ RFC 7523 compliance verified - ✅ Backward compatibility validated ## Compatibility - ✅ 100% backward compatible - ✅ No public API changes - ✅ No broker changes required - ✅ Client-side only implementation ## Configuration Example ```properties # Client Assertion (Recommended) sasl.oauthbearer.token.endpoint.url=https://idp.com/oauth/token sasl.oauthbearer.assertion.private.key.file=/path/to/key.pem sasl.oauthbearer.assertion.algorithm=RS256 sasl.oauthbearer.assertion.claim.iss=kafka-client sasl.oauthbearer.assertion.claim.sub=service-account sasl.oauthbearer.assertion.claim.aud=https://idp.com # Client Secret (Still Works) sasl.oauthbearer.client.credentials.client.id=my-client sasl.oauthbearer.client.credentials.client.secret=my-secret ``` ## References - **JIRA**: [KAFKA-18608](https://issues.apache.org/jira/browse/KAFKA-18608) - **KIP**: [KIP-1258](https://cwiki.apache.org/confluence/display/KAFKA/KIP-1258) - **RFC 7521**: [Assertion Framework for OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc7521) - **RFC 7523**: [JWT Profile for OAuth 2.0 Client Authentication](https://datatracker.ietf.org/doc/html/rfc7523) - **Related**: [KIP-1139 (jwt-bearer grant)](https://cwiki.apache.org/confluence/display/KAFKA/KIP-1139) ## Reviewers - Manikumar Reddy [[email protected]](mailto:[email protected]) - Kirk True [[email protected]](mailto:[email protected]) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
