[
https://issues.apache.org/jira/browse/KAFKA-20184?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18059833#comment-18059833
]
Kirk True commented on KAFKA-20184:
-----------------------------------
While the OAuth code lives in the "clients" package, it can be run in three
different modes:
# Client mode, in which the {{JwtRetriever}} provides a JWT to the broker
# Server mode, in which a {{JwtValidator}} validates a JWT from a client
# Client/server mode, in which OAuth is used for inter-broker communication,
so it needs both parts
For mode #1 above, the clients JAR _should not_ include jose4j as a dependency,
so that we don't bloat the clients JAR and so that users don't have to patch
their clients in case a CVE is filed for jose4j (or its dependencies). jose4j
_is_ only intended for modes #2 and #3 above.
The intention is that following classes should not be called by the client in
mode #1:
* {{BrokerJwtValidator}}
* {{VerificationKeyResolverFactory}}
* {{JwksFileVerificationKeyResolver}}
* {{RefreshingHttpsJwksVerificationKeyResolver}}
* {{RefreshingHttpsJwks}}
* {{CloseableVerificationKeyResolver}}
Those classes are all related to JWT validation.
However, the problem is probably caused by the introduction of
{{DefaultJwtValidator}} in 4.1. When the JVM loads the {{DefaultJwtValidator}}
class, it also ends up loading the {{BrokerJwtValidator}} class, which in turn
looks for the jose4j classes.
So, as a first guess, the fix would be to remove static references to classes
from {{{}DefaultJwtValidator{}}}.
> jose4j marked as compileOnly in clients module causes ClassNotFoundException
> at runtime for OAuth authentication
> ----------------------------------------------------------------------------------------------------------------
>
> Key: KAFKA-20184
> URL: https://issues.apache.org/jira/browse/KAFKA-20184
> Project: Kafka
> Issue Type: Bug
> Components: clients
> Affects Versions: 3.1.0
> Reporter: Christian Semaan
> Priority: Major
> Labels: build, client, dependancy, oauth
>
> The `jose4j` library is currently marked as `compileOnly` in the `:clients`
> module dependency configuration
> https://github.com/apache/kafka/blob/4.1/build.gradle#L1819, with a comment
> stating "only used by broker". However, this is incorrect and causes runtime
> issues.
>
> OAuth implementation classes are in the clients module, not just broker: *
> org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver
> (interface extending jose4j's VerificationKeyResolver)
> *
> org.apache.kafka.common.security.oauthbearer.internals.secured.JwksFileVerificationKeyResolver
> *
> org.apache.kafka.common.security.oauthbearer.internals.secured.RefreshingHttpsJwksVerificationKeyResolver
> Impact:
> Runtime Failure: When Kafka clients are used with SASL/OAUTHBEARER
> authentication, the application will encounter `ClassNotFoundException` or
> `NoClassDefFoundError` for jose4j classes at runtime unless users manually
> add jose4j as a dependency to their applications.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
