[ https://issues.apache.org/jira/browse/KAFKA-13848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17533793#comment-17533793 ]
Viktor Somogyi-Vass commented on KAFKA-13848: --------------------------------------------- [~acsaki] please write an email to the d...@kafka.apache.org email list so they can add you as a contributors. After this you'll be able to assign the jira to yourself. You can raise a PR regradless though. (more on contribution: https://kafka.apache.org/contributing) > Clients remain connected after SASL re-authentication fails > ----------------------------------------------------------- > > Key: KAFKA-13848 > URL: https://issues.apache.org/jira/browse/KAFKA-13848 > Project: Kafka > Issue Type: Bug > Components: clients > Affects Versions: 3.1.0 > Environment: https://github.com/acsaki/kafka-sasl-reauth > Reporter: Andras Csaki > Assignee: Andras Csaki > Priority: Minor > Labels: Authentication, OAuth2, SASL > > Clients remain connected and able to produce or consume despite an expired > OAUTHBEARER token. > The problem can be reproduced using the > https://github.com/acsaki/kafka-sasl-reauth project by starting the embedded > OAuth2 server and Kafka, then running the long running consumer in > OAuthBearerTest and then killing the OAuth2 server thus making the client > unable to re-authenticate. > Root cause seems to be > SaslServerAuthenticator#calcCompletionTimesAndReturnSessionLifetimeMs failing > to set ReauthInfo#sessionExpirationTimeNanos when tokens have already expired > (when session life time goes negative), in turn causing > KafkaChannel#serverAuthenticationSessionExpired returning false and finally > SocketServer not closing the channel. > The issue is observed with OAUTHBEARER but seems to have a wider impact on > SASL re-authentication. -- This message was sent by Atlassian Jira (v8.20.7#820007)