[
https://issues.apache.org/jira/browse/KAFKA-20184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18059701#comment-18059701
]
yookibaek commented on KAFKA-20184:
-----------------------------------
Hi [~kirktrue], [~csemaan1a]! thank you for reporting this issue [~csemaan1a]
— it's an important fix for anyone using OAuth authentication directly with the
kafka-clients library.
If no one is currently assigned or working on this, I'd like to take it on.
I've analyzed the codebase and here's my findings:
Root cause
- In `build.gradle`, `jose4j` is declared as `compileOnly` in the `:clients`
module, but multiple OAuth classes in `clients/src/main/java` (e.g.,
`BrokerJwtValidator`, `DefaultJwtValidator`, `VerificationKeyResolverFactory`)
directly depend on it at runtime.
Here is my plan
- Change `jose4j` from `compileOnly` to `implementation` in the `:clients`
module, consistent with how `:core`, `:tools`, `:shell`, and `:connect:runtime`
already declare it.
I'll submit a PR with this change. Feedback welcome!
> jose4j marked as compileOnly in clients module causes ClassNotFoundException
> at runtime for OAuth authentication
> ----------------------------------------------------------------------------------------------------------------
>
> Key: KAFKA-20184
> URL: https://issues.apache.org/jira/browse/KAFKA-20184
> Project: Kafka
> Issue Type: Bug
> Components: clients
> Affects Versions: 3.1.0
> Reporter: Christian Semaan
> Priority: Major
> Labels: build, client, dependancy, oauth
>
> The `jose4j` library is currently marked as `compileOnly` in the `:clients`
> module dependency configuration
> https://github.com/apache/kafka/blob/4.1/build.gradle#L1819, with a comment
> stating "only used by broker". However, this is incorrect and causes runtime
> issues.
>
> OAuth implementation classes are in the clients module, not just broker: *
> org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver
> (interface extending jose4j's VerificationKeyResolver)
> *
> org.apache.kafka.common.security.oauthbearer.internals.secured.JwksFileVerificationKeyResolver
> *
> org.apache.kafka.common.security.oauthbearer.internals.secured.RefreshingHttpsJwksVerificationKeyResolver
> Impact:
> Runtime Failure: When Kafka clients are used with SASL/OAUTHBEARER
> authentication, the application will encounter `ClassNotFoundException` or
> `NoClassDefFoundError` for jose4j classes at runtime unless users manually
> add jose4j as a dependency to their applications.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)