Ron Dagostino created KAFKA-7182: ------------------------------------ Summary: SASL/OAUTHBEARER client response is missing %x01 separators Key: KAFKA-7182 URL: https://issues.apache.org/jira/browse/KAFKA-7182 Project: Kafka Issue Type: Bug Components: clients Affects Versions: 2.0.0 Reporter: Ron Dagostino Assignee: Ron Dagostino
The format of the SASL/OAUTHBEARER client response is defined in [RFC 7628 Section 3.1|https://tools.ietf.org/html/rfc7628#section-3.1] as follows: {noformat} kvsep = %x01 key = 1*(ALPHA) value = *(VCHAR / SP / HTAB / CR / LF ) kvpair = key "=" value kvsep client-resp = (gs2-header kvsep *kvpair kvsep) / kvsep {noformat} ;;gs2-header = See [RFC 5801 (Section 4)|https://tools.ietf.org/html/rfc5801#section-4] The SASL/OAUTHBEARER client response as currently implemented in OAuthBearerSaslClient sends the valid gs2-header "n,," but then sends the "auth" key and value immediately after it, like this: {code:java} String.format("n,,auth=Bearer %s", callback.token().value()) {code} This does not conform to the specification because there is no %x01 after the gs2-header, no %x01 after the auth value, and no terminating %x01. The code should instead be as follows: {code:java} String.format("n,,\u0001auth=Bearer %s\u0001\u0001", callback.token().value()) {code} Similarly, the parsing of the client response in OAuthBearerSaslServer, which currently allows the malformed text, must also change. *This should be fixed prior to the initial release of the SASL/OAUTHBEARER code in 2.0.0 to prevent compatibility problems.* -- This message was sent by Atlassian JIRA (v7.6.3#76005)