[KAFKA-14062] OAuth client token refresh fails with SASL extensions - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.1.0, 3.2.0, 3.1.1, 3.3.0, 3.3
Fix Version/s: 3.1.2, 3.2.1, 3.3
Component/s: admin, clients, consumer, producer , security
Labels:
- OAuth

Description

While testing OAuth for Connect an issue surfaced where authentication that was successful initially fails during token refresh. This appears to be due to missing SASL extensions on refresh, though those extensions were present on initial authentication.

During token refresh, the Kafka client adds and removes any SASL extensions. If a refresh is attempted during the window when the extensions are not present in the subject, the refresh fails with the following error:

[2022-04-11 20:33:43,250] INFO [AdminClient clientId=adminclient-8] Failed authentication with <host>/<IP> (Authentication failed: 1 extensions are invalid! They are: xxx: Authentication failed) (org.apache.kafka.common.network.Selector)

Attachments

Issue Links

links to

GitHub Pull Request #12398

Activity

People

Assignee:: Kirk True

Reporter:: Kirk True

Reviewer:: Stanislav Kozlovski

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 09/Jul/22 18:52

Updated:: 12/Jul/22 09:06

Resolved:: 12/Jul/22 09:06