yykkibbb opened a new pull request, #21518: URL: https://github.com/apache/kafka/pull/21518
## Summary `jose4j` is declared as `compileOnly` in the `:clients` module (`build.gradle`), but multiple OAuth implementation classes in `clients/src/main/java` directly depend on it at runtime. This causes `ClassNotFoundException` when using OAuth authentication with `kafka-clients` as a standalone dependency. **Root cause:** The comment says "only used by broker", but the following classes in the clients module directly import `org.jose4j.*`: - `BrokerJwtValidator` - `DefaultJwtValidator` - `VerificationKeyResolverFactory` - `JwksFileVerificationKeyResolver` - `RefreshingHttpsJwksVerificationKeyResolver` - `RefreshingHttpsJwks` - `CloseableVerificationKeyResolver` **Fix:** Changed `jose4j` from `compileOnly` to `implementation` in the `:clients` module, consistent with how `:core`, `:tools`, `:shell`, and `:connect:runtime` already declare it. **Note:** `jacksonDatabind` and `jacksonJDK8Datatypes` are also declared as `compileOnly` in the same block and are used by OAuth classes in the clients module at runtime (5 files import `com.fasterxml.jackson.*`). If needed, those can be addressed in this PR or in a follow-up based on reviewer feedback. ## Test plan - [x] Verified that all OAuth-related tests in `:clients` pass (`./gradlew :clients:test --tests "org.apache.kafka.common.security.oauthbearer.*"`) - [ ] Verify that `jose4j` is now available at runtime for applications using `kafka-clients` with OAuth authentication - [ ] Confirm no dependency conflicts with other modules -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
