[GitHub] [kafka] kirktrue commented on a change in pull request #11284: KAFKA-13202: KIP-768: Extend SASL/OAUTHBEARER with Support for OIDC

Thu, 21 Oct 2021 15:47:11 -0700 


kirktrue commented on a change in pull request #11284:
URL: https://github.com/apache/kafka/pull/11284#discussion_r734095192



##########
File path: clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java
##########
@@ -75,30 +78,111 @@
     public static final String SASL_LOGIN_REFRESH_WINDOW_FACTOR_DOC = "Login 
refresh thread will sleep until the specified window factor relative to the"
             + " credential's lifetime has been reached, at which time it will 
try to refresh the credential."
             + " Legal values are between 0.5 (50%) and 1.0 (100%) inclusive; a 
default value of 0.8 (80%) is used"
-            + " if no value is specified. Currently applies only to 
OAUTHBEARER.";
+            + " if no value is specified."
+            + OAUTHBEARER_NOTE;
     public static final double DEFAULT_LOGIN_REFRESH_WINDOW_FACTOR = 0.80;
 
     public static final String SASL_LOGIN_REFRESH_WINDOW_JITTER = 
"sasl.login.refresh.window.jitter";
     public static final String SASL_LOGIN_REFRESH_WINDOW_JITTER_DOC = "The 
maximum amount of random jitter relative to the credential's lifetime"
             + " that is added to the login refresh thread's sleep time. Legal 
values are between 0 and 0.25 (25%) inclusive;"
-            + " a default value of 0.05 (5%) is used if no value is specified. 
Currently applies only to OAUTHBEARER.";
+            + " a default value of 0.05 (5%) is used if no value is specified."
+            + OAUTHBEARER_NOTE;
     public static final double DEFAULT_LOGIN_REFRESH_WINDOW_JITTER = 0.05;
 
     public static final String SASL_LOGIN_REFRESH_MIN_PERIOD_SECONDS = 
"sasl.login.refresh.min.period.seconds";
     public static final String SASL_LOGIN_REFRESH_MIN_PERIOD_SECONDS_DOC = 
"The desired minimum time for the login refresh thread to wait before 
refreshing a credential,"
             + " in seconds. Legal values are between 0 and 900 (15 minutes); a 
default value of 60 (1 minute) is used if no value is specified.  This value 
and "
             + " sasl.login.refresh.buffer.seconds are both ignored if their 
sum exceeds the remaining lifetime of a credential."
-            + " Currently applies only to OAUTHBEARER.";
+            + OAUTHBEARER_NOTE;
     public static final short DEFAULT_LOGIN_REFRESH_MIN_PERIOD_SECONDS = 60;
 
     public static final String SASL_LOGIN_REFRESH_BUFFER_SECONDS = 
"sasl.login.refresh.buffer.seconds";
     public static final String SASL_LOGIN_REFRESH_BUFFER_SECONDS_DOC = "The 
amount of buffer time before credential expiration to maintain when refreshing 
a credential,"
             + " in seconds. If a refresh would otherwise occur closer to 
expiration than the number of buffer seconds then the refresh will be moved up 
to maintain"
             + " as much of the buffer time as possible. Legal values are 
between 0 and 3600 (1 hour); a default value of  300 (5 minutes) is used if no 
value is specified."
             + " This value and sasl.login.refresh.min.period.seconds are both 
ignored if their sum exceeds the remaining lifetime of a credential."
-            + " Currently applies only to OAUTHBEARER.";
+            + OAUTHBEARER_NOTE;
     public static final short DEFAULT_LOGIN_REFRESH_BUFFER_SECONDS = 300;
 
+    public static final String SASL_LOGIN_CONNECT_TIMEOUT_MS = 
"sasl.login.connect.timeout.ms";
+    public static final String SASL_LOGIN_CONNECT_TIMEOUT_MS_DOC = "The 
(optional) value in milliseconds for the external authentication provider 
connection timeout."
+            + OAUTHBEARER_NOTE;
+
+    public static final String SASL_LOGIN_READ_TIMEOUT_MS = 
"sasl.login.read.timeout.ms";
+    public static final String SASL_LOGIN_READ_TIMEOUT_MS_DOC = "The 
(optional) value in milliseconds for the external authentication provider read 
timeout."
+            + OAUTHBEARER_NOTE;
+
+    // These are only specified here outside their normal groupings so that 
they can be
+    // forward referencing.
+    public static final String SASL_LOGIN_RETRY_BACKOFF_MS = 
"sasl.login.retry.backoff.ms";
+    public static final String SASL_LOGIN_RETRY_BACKOFF_MAX_MS = 
"sasl.login.retry.backoff.max.ms";
+
+    private static final String EXPONENTIAL_BACKOFF_NOTE = " Login uses an 
exponential backoff algorithm with an initial wait based on the"
+            + " " + SASL_LOGIN_RETRY_BACKOFF_MS
+            + " setting and will double in wait length between attempts up to 
a maximum wait length specified by the"
+            + " " + SASL_LOGIN_RETRY_BACKOFF_MAX_MS
+            + " setting.";
+
+    public static final long DEFAULT_SASL_LOGIN_RETRY_BACKOFF_MAX_MS = 10000;
+    public static final String SASL_LOGIN_RETRY_BACKOFF_MAX_MS_DOC = "The 
(optional) value in milliseconds for the maximum wait between login attempts to 
the"
+            + " external authentication provider."
+            + EXPONENTIAL_BACKOFF_NOTE;
+
+    public static final long DEFAULT_SASL_LOGIN_RETRY_BACKOFF_MS = 100;
+    public static final String SASL_LOGIN_RETRY_BACKOFF_MS_DOC = "The 
(optional) value in milliseconds for the initial wait between login attempts to 
the external"
+            + " authentication provider."
+            + EXPONENTIAL_BACKOFF_NOTE;
+
+    public static final String SASL_OAUTHBEARER_SCOPE_CLAIM_NAME = 
"sasl.oauthbearer.scope.claim.name";
+    public static final String DEFAULT_SASL_OAUTHBEARER_SCOPE_CLAIM_NAME = 
"scope";
+    public static final String SASL_OAUTHBEARER_SCOPE_CLAIM_NAME_DOC = "The 
OAuth claim for the scope is often named \"" + 
DEFAULT_SASL_OAUTHBEARER_SCOPE_CLAIM_NAME + "\", but this (optional)"
+            + " setting can provide a different name to use for the scope 
included in the JWT payload's claims if the OAuth/OIDC provider uses a 
different"
+            + " name for that claim.";
+
+    public static final String SASL_OAUTHBEARER_SUB_CLAIM_NAME = 
"sasl.oauthbearer.sub.claim.name";
+    public static final String DEFAULT_SASL_OAUTHBEARER_SUB_CLAIM_NAME = "sub";
+    public static final String SASL_OAUTHBEARER_SUB_CLAIM_NAME_DOC = "The 
OAuth claim for the subject is often named \"" + 
DEFAULT_SASL_OAUTHBEARER_SUB_CLAIM_NAME + "\", but this (optional)"
+            + " setting can provide a different name to use for the subject 
included in the JWT payload's claims if the OAuth/OIDC provider uses a 
different"
+            + " name for that claim.";
+
+    public static final String SASL_OAUTHBEARER_TOKEN_ENDPOINT_URI = 
"sasl.oauthbearer.token.endpoint.uri";
+    public static final String SASL_OAUTHBEARER_TOKEN_ENDPOINT_URI_DOC = "The 
URL for the OAuth/OIDC identity provider. If the URL is HTTP(S)-based, it is 
the issuer's token"
+            + " endpoint URI to which requests will be made to login based on 
the configuration in " + SASL_JAAS_CONFIG + ". If the URL is file-based, it"
+            + " specifies a file containing an access token (in JWT serialized 
form) issued by the OAuth/OIDC identity provider to use for authorization.";
+
+    // These are only specified here outside their normal groupings so that 
they can be
+    // forward referencing.
+    public static final String SASL_OAUTHBEARER_JWKS_ENDPOINT_URI = 
"sasl.oauthbearer.jwks.endpoint.uri";
+    public static final String SASL_OAUTHBEARER_JWKS_ENDPOINT_REFRESH_MS = 
"sasl.oauthbearer.jwks.endpoint.refresh.ms";

Review comment:
       I have rearranged the ordering to be consistent with the existing 
structure. This meant that I had to reference the name in a string literal vs. 
using a reference to the name, but 🤷 




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to