[
https://issues.apache.org/jira/browse/KAFKA-13848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17533793#comment-17533793
]
Viktor Somogyi-Vass commented on KAFKA-13848:
---------------------------------------------
[~acsaki] please write an email to the d...@kafka.apache.org email list so they
can add you as a contributors. After this you'll be able to assign the jira to
yourself. You can raise a PR regradless though.
(more on contribution: https://kafka.apache.org/contributing)
> Clients remain connected after SASL re-authentication fails
> -----------------------------------------------------------
>
> Key: KAFKA-13848
> URL: https://issues.apache.org/jira/browse/KAFKA-13848
> Project: Kafka
> Issue Type: Bug
> Components: clients
> Affects Versions: 3.1.0
> Environment: https://github.com/acsaki/kafka-sasl-reauth
> Reporter: Andras Csaki
> Assignee: Andras Csaki
> Priority: Minor
> Labels: Authentication, OAuth2, SASL
>
> Clients remain connected and able to produce or consume despite an expired
> OAUTHBEARER token.
> The problem can be reproduced using the
> https://github.com/acsaki/kafka-sasl-reauth project by starting the embedded
> OAuth2 server and Kafka, then running the long running consumer in
> OAuthBearerTest and then killing the OAuth2 server thus making the client
> unable to re-authenticate.
> Root cause seems to be
> SaslServerAuthenticator#calcCompletionTimesAndReturnSessionLifetimeMs failing
> to set ReauthInfo#sessionExpirationTimeNanos when tokens have already expired
> (when session life time goes negative), in turn causing
> KafkaChannel#serverAuthenticationSessionExpired returning false and finally
> SocketServer not closing the channel.
> The issue is observed with OAUTHBEARER but seems to have a wider impact on
> SASL re-authentication.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
