[KAFKA-7182] SASL/OAUTHBEARER client response is missing %x01 separators - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 2.0.0
Fix Version/s: 2.0.0
Component/s: clients
Labels:
- pull-request-available

Flags:

Important

Description

The format of the SASL/OAUTHBEARER client response is defined in RFC 7628 Section 3.1 as follows:

     kvsep          = %x01
     key            = 1*(ALPHA)
     value          = *(VCHAR / SP / HTAB / CR / LF )
     kvpair         = key "=" value kvsep
     client-resp    = (gs2-header kvsep *kvpair kvsep) / kvsep

;;gs2-header = See RFC 5801 (Section 4)

The SASL/OAUTHBEARER client response as currently implemented in OAuthBearerSaslClient sends the valid gs2-header "n,," but then sends the "auth" key and value immediately after it, like this:

String.format("n,,auth=Bearer %s", callback.token().value())

This does not conform to the specification because there is no %x01 after the gs2-header, no %x01 after the auth value, and no terminating %x01. The code should instead be as follows:

String.format("n,,\u0001auth=Bearer %s\u0001\u0001", callback.token().value())

Similarly, the parsing of the client response in OAuthBearerSaslServer, which currently allows the malformed text, must also change.

This should be fixed prior to the initial release of the SASL/OAUTHBEARER code in 2.0.0 to prevent compatibility problems.

Attachments

Issue Links

links to

GitHub Pull Request #5391

Activity

People

Assignee:: Ron Dagostino

Reporter:: Ron Dagostino

Reviewer:: Rajini Sivaram

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 18/Jul/18 20:28

Updated:: 19/Jul/18 16:58

Resolved:: 19/Jul/18 16:58