KIP-306 introduced the config `connection.failed.authentication.delay.ms` to delay connection closing on brokers for failed authentication to limit the rate of retried authentications from clients in order to avoid excessive authentication load on brokers from failed clients. We rely on authentication failure response to be delayed in this case to prevent clients from detecting the failure and retrying sooner.
SaslServerAuthenticator delays response for SaslAuthenticationException, but not for SaslException, even though SaslException is also converted into SaslAuthenticationException and processed as an authentication failure by both server and clients. As a result, connection delay is not applied in many scenarios like SCRAM authentication failures.
- links to