Re: [DISCUSS] KIP-255: OAuth Authentication via SASL/OAUTHBEARER

Hi everyone. KIP-255 is now updated to reflect all feedback to date. The updated code is also available on the KAFKA-6562 branch in the repo at https://github.com/rondagostino/kafka.git. We are now down to 1 public interface and 3 public classes -- a dramatic reduction from the original proposal

Re: [DISCUSS] KIP-255: OAuth Authentication via SASL/OAUTHBEARER

Hi Rajini. Thanks for the feedback. I will adopt all of the suggestions. Regarding your question about moving the refresh config values out of the JAAS config and making them generic, yes, I think that would work, and it does advance us down the road toward an eventual unification. I'll post aga

Re: [DISCUSS] KIP-255: OAuth Authentication via SASL/OAUTHBEARER

Hi Ron, A few more suggestions and questions: 1. The KIP says that various callback handlers and login have to be configured in order to use OAuth. Could we also say that a default implementation is included which is not suitable for production use, but this would work out-of-the-box

Re: [DISCUSS] KIP-255: OAuth Authentication via SASL/OAUTHBEARER

Hi Ron, Thanks for the updates. I had a quick look and it is looking good. I have updated KIP-86 and the associated PR to with a new config sasl.login.callback.handler.class that matches what you are using in this KIP. On Thu, Mar 29, 2018 at 6:27 AM, Ron Dagostino wrote: > Hi Rajini. I have

Re: [DISCUSS] KIP-255: OAuth Authentication via SASL/OAUTHBEARER

Hi Rajini. I have adjusted the KIP to use callbacks and callback handlers throughout. I also clarified that production implementations of the retrieval and validation callback handlers will require the use of an open source JWT library, and the unsecured implementations are as far as SASL/OAUTHBE

Re: [DISCUSS] KIP-255: OAuth Authentication via SASL/OAUTHBEARER

Hi Ron, Thanks for the response. All sound good, I think the only outstanding question is around callbacks vs classes provided through the login context. As you have pointed out, there are advantages of both approaches. Even though my preference is for callbacks, it is not a blocker since the curr

Re: [DISCUSS] KIP-255: OAuth Authentication via SASL/OAUTHBEARER

Hi Rajini. Thanks for the great feedback. See below for my thoughts/conclusions. I haven't implemented any of it yet or changed the KIP, but I will start to work on the areas where we are in agreement immediately, and I will await your feedback on the areas where an additional iteration is neede

Re: [DISCUSS] KIP-255: OAuth Authentication via SASL/OAUTHBEARER

Hi Ron, Thanks for the KIP. Sorry for the delay in reviewing this. I have a few questions/comments. 1. Are all of the classes listed in the KIP intended to be public classes/interfaces? Since it requires more effort to maintain public classes, it will be good if we can make more of the.

Re: [DISCUSS] KIP-255: OAuth Authentication via SASL/OAUTHBEARER

Hi everyone. I implemented the ability to perform substitution in JAAS config module options, which was the only part of KIP 255 that was not implemented when I originally published the KIP last week. I have made adjustments to that section of the KIP based on this implementation experience, incl

Re: [DISCUSS] KIP-255: OAuth Authentication via SASL/OAUTHBEARER

Thanks, Ted. I've added the JIRA and mailing list links to the KIP, and I added Javadoc addressing your questions -- both in the KIP code blocks and on GitHub ( https://github.com/rondagostino/kafka/commit/c61f5bafad810b620ff1ebd04e1231d245183e36 ). Ron On Wed, Feb 14, 2018 at 7:19 PM, Ted Yu w

Re: [DISCUSS] KIP-255: OAuth Authentication via SASL/OAUTHBEARER

Nicely written KIP. Can you add link to this thread and fill in JIRA number ? For ExpiringCredential, why does expireTimeMillis() return long while other methods return Long ? Can you add some comment for WindowJitter in RefreshConfig ? Thanks On Wed, Feb 14, 2018 at 3:38 PM, Ron Dagostino wro

[DISCUSS] KIP-255: OAuth Authentication via SASL/OAUTHBEARER

Hi everyone. I created KIP-255: OAuth Authentication via SASL/OAUTHBEARER (https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=75968876 ). This KIP proposes adding the ability to authenticate to Kafka with O