Minor Description
Client authentication fails, when configured to use OAuth and the JWT access token does not contain the sub claim. This issue was discovered while testing Kafka integration with Ping Identity OAuth server. According to Ping's documentation:
sub – A string that specifies the identifier for the authenticated user. This claim is not present for client_credentials tokens.
In this case Kafka broker rejects the token regardless of the sasl.oauthbearer.sub.claim.name property value.
Steps to reproduce:
1. Client configuration:
security.protocol=SASL_PLAINTEXT sasl.mechanism=OAUTHBEARER sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler sasl.oauthbearer.token.endpoint.url=https://oauth.server.fqdn/token/endpoint sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required\ clientId="kafka-client"\ clientSecret="kafka-client-secret"; sasl.oauthbearer.sub.claim.name=client_id # claim name for the principal to be extracted from, needed for client side validation too
2. Broker configuration:
sasl.enabled.mechanisms=...,OAUTHBEARER listener.name.sasl_plaintext.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required; listener.name.sasl_plaintext.oauthbearer.sasl.server.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler sasl.oauthbearer.jwks.endpoint.url=https://oauth.server.fqdn/jwks/endpoint sasl.oauthbearer.expected.audience=oauth-audience # based on OAuth server setup sasl.oauthbearer.sub.claim.name=client_id # claim name for the principal to be extracted from
3. Try to perform some client operation:
kafka-topics --bootstrap-server `hostname`:9092 --list --command-config oauth-client.properties
Result:
Client authentication fails due to invalid access token.
- client log:
[2022-03-11 16:21:20,461] ERROR [AdminClient clientId=adminclient-1] Connection to node -1 (localhost/127.0.0.1:9092) failed authentication due to: {"status":"invalid_token"} (org.apache.kafka.clients.NetworkClient)
[2022-03-11 16:21:20,463] WARN [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error (org.apache.kafka.clients.admin.internals.AdminMetadataManager)
org.apache.kafka.common.errors.SaslAuthenticationException: {"status":"invalid_token"}
Error while executing topic command : {"status":"invalid_token"}
[2022-03-11 16:21:20,468] ERROR org.apache.kafka.common.errors.SaslAuthenticationException: {"status":"invalid_token"}
(kafka.admin.TopicCommand$)
- broker log:
[2022-03-11 16:21:20,150] WARN Could not validate the access token: JWT (claims->{"client_id":"...","iss":"...","iat":1647012079,"exp":1647015679,"aud":[...],"env":"...","org":"..."}) rejected due to invalid claims or other invalid content. Additional details: [[14] No Subject (sub) claim is present.] (org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler)
org.apache.kafka.common.security.oauthbearer.secured.ValidateException: Could not validate the access token: JWT (claims->{"client_id":"...","iss":"...","iat":1647012079,"exp":1647015679,"aud":[...],"env":"...","org":"..."}) rejected due to invalid claims or other invalid content. Additional details: [[14] No Subject (sub) claim is present.]
at org.apache.kafka.common.security.oauthbearer.secured.ValidatorAccessTokenValidator.validate(ValidatorAccessTokenValidator.java:159)
at org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler.handleValidatorCallback(OAuthBearerValidatorCallbackHandler.java:184)
at org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler.handle(OAuthBearerValidatorCallbackHandler.java:169)
at org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServer.process(OAuthBearerSaslServer.java:156)
at org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServer.evaluateResponse(OAuthBearerSaslServer.java:101)
at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:451)
at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:280)
at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:181)
at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543)
at org.apache.kafka.common.network.Selector.poll(Selector.java:481)
at kafka.network.Processor.poll(SocketServer.scala:989)
at kafka.network.Processor.run(SocketServer.scala:892)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.jose4j.jwt.consumer.InvalidJwtException: JWT (claims->{"client_id":"...","iss":"...","iat":1647012079,"exp":1647015679,"aud":[...],"env":"...","org":"..."}) rejected due to invalid claims or other invalid content. Additional details: [[14] No Subject (sub) claim is present.]
at org.jose4j.jwt.consumer.JwtConsumer.validate(JwtConsumer.java:466)
at org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:311)
at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:433)
at org.apache.kafka.common.security.oauthbearer.secured.ValidatorAccessTokenValidator.validate(ValidatorAccessTokenValidator.java:157)
... 12 more
[2022-03-11 16:21:20,154] INFO [SocketServer listenerType=ZK_BROKER, nodeId=0] Failed authentication with /127.0.0.1 ({"status":"invalid_token"}) (org.apache.kafka.common.network.Selector)
Attachments
Issue Links
- links to