Rajini Sivaram created KAFKA-7462:
-------------------------------------
Summary: Kafka brokers cannot provide OAuth without a token
Key: KAFKA-7462
URL: https://issues.apache.org/jira/browse/KAFKA-7462
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 2.0.0
Reporter: Rajini Sivaram
Fix For: 2.1.0
Like with all other SASL mechanisms, OAUTHBEARER uses the same LoginModule
class on both server-side and the client-side. But unlike PLAIN or SCRAM where
client credentials are optional, OAUTHBEARER requires always requires a token.
So while with PLAIN/SCRAM, broker only needs to specify client credentials if
the mechanism is used for inter-broker communication, with OAuth, broker
requires client credentials even if OAuth is not used for inter-broker
communication. This is an issue with the default
`OAuthBearerUnsecuredLoginCallbackHandler` used on both client-side and
server-side. But more critically, it is an issue with `OAuthBearerLoginModule`
which doesn't commit if token == null (commit() returns false).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
