[
https://issues.apache.org/jira/browse/KAFKA-20184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18059153#comment-18059153
]
Kirk True commented on KAFKA-20184:
-----------------------------------
[~csemaan1a]—are you planning to provide a fix, or no? Thanks
> jose4j marked as compileOnly in clients module causes ClassNotFoundException
> at runtime for OAuth authentication
> ----------------------------------------------------------------------------------------------------------------
>
> Key: KAFKA-20184
> URL: https://issues.apache.org/jira/browse/KAFKA-20184
> Project: Kafka
> Issue Type: Bug
> Components: clients
> Affects Versions: 3.1.0
> Reporter: Christian Semaan
> Priority: Major
> Labels: build, client, dependancy, oauth
>
> The `jose4j` library is currently marked as `compileOnly` in the `:clients`
> module dependency configuration
> https://github.com/apache/kafka/blob/4.1/build.gradle#L1819, with a comment
> stating "only used by broker". However, this is incorrect and causes runtime
> issues.
>
> OAuth implementation classes are in the clients module, not just broker: *
> org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver
> (interface extending jose4j's VerificationKeyResolver)
> *
> org.apache.kafka.common.security.oauthbearer.internals.secured.JwksFileVerificationKeyResolver
> *
> org.apache.kafka.common.security.oauthbearer.internals.secured.RefreshingHttpsJwksVerificationKeyResolver
> Impact:
> Runtime Failure: When Kafka clients are used with SASL/OAUTHBEARER
> authentication, the application will encounter `ClassNotFoundException` or
> `NoClassDefFoundError` for jose4j classes at runtime unless users manually
> add jose4j as a dependency to their applications.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
