[jira] [Commented] (KAFKA-20184) jose4j marked as compileOnly in clients module causes ClassNotFoundException at runtime for OAuth authentication

Thu, 19 Feb 2026 06:18:41 -0800 


    [ 
https://issues.apache.org/jira/browse/KAFKA-20184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18059701#comment-18059701
 ] 

yookibaek commented on KAFKA-20184:
-----------------------------------

Hi [~kirktrue], [~csemaan1a]! thank you for reporting this issue [~csemaan1a]  
— it's an important fix for anyone using OAuth authentication directly with the 
kafka-clients library.

If no one is currently assigned or working on this, I'd like to take it on.

I've analyzed the codebase and here's my findings:

Root cause
- In `build.gradle`, `jose4j` is declared as `compileOnly` in the `:clients` 
module, but multiple OAuth classes in `clients/src/main/java` (e.g., 
`BrokerJwtValidator`, `DefaultJwtValidator`, `VerificationKeyResolverFactory`) 
directly depend on it at runtime.

Here is my plan
- Change `jose4j` from `compileOnly` to `implementation` in the `:clients` 
module, consistent with how `:core`, `:tools`, `:shell`, and `:connect:runtime` 
already declare it.

I'll submit a PR with this change. Feedback welcome!

> jose4j marked as compileOnly in clients module causes ClassNotFoundException 
> at runtime for OAuth authentication
> ----------------------------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-20184
>                 URL: https://issues.apache.org/jira/browse/KAFKA-20184
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients
>    Affects Versions: 3.1.0
>            Reporter: Christian Semaan
>            Priority: Major
>              Labels: build, client, dependancy, oauth
>
> The `jose4j` library is currently marked as `compileOnly` in the `:clients` 
> module dependency configuration 
> https://github.com/apache/kafka/blob/4.1/build.gradle#L1819, with a comment 
> stating "only used by broker". However, this is incorrect and causes runtime 
> issues.
>  
> OAuth implementation classes are in the clients module, not just broker: * 
> org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver
>  (interface extending jose4j's VerificationKeyResolver)
>  * 
> org.apache.kafka.common.security.oauthbearer.internals.secured.JwksFileVerificationKeyResolver
>  * 
> org.apache.kafka.common.security.oauthbearer.internals.secured.RefreshingHttpsJwksVerificationKeyResolver
> Impact: 
> Runtime Failure: When Kafka clients are used with SASL/OAUTHBEARER 
> authentication, the application will encounter `ClassNotFoundException` or 
> `NoClassDefFoundError` for jose4j classes at runtime unless users manually 
> add jose4j as a dependency to their applications.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to