lh0156 opened a new pull request, #22298: URL: https://github.com/apache/kafka/pull/22298
### Summary - Parse string-valued OAuth scope claims as space-delimited scope tokens in broker and client JWT validators. - Reuse the same parsing for unsecured JWS string scope claims. - Preserve existing behavior for collection-valued scope claims and existing blank-scope validation semantics. - Add focused unit coverage for configured scope claim names, blank string scopes, parser behavior, and unsecured JWS scope immutability. ### Motivation OAuth scope values are commonly represented as a space-delimited string such as `"email profile phone"`. Previously, the secured validators wrapped a string-valued scope claim as a single collection item, so Kafka treated that example as one scope instead of three. This patch normalizes only string-valued scope claims before the existing validation path. Collection-valued scope claims continue to use the existing behavior. ### Testing - `./gradlew :clients:unitTest --tests org.apache.kafka.common.security.oauthbearer.BrokerJwtValidatorTest --tests org.apache.kafka.common.security.oauthbearer.ClientJwtValidatorTest --tests org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredJwsTest --tests org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerScopeClaimUtilsTest` - `./gradlew :clients:checkstyleMain :clients:checkstyleTest` - `git diff --check` - `./gradlew :clients:unitTest` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
