Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-14062

OAuth client token refresh fails with SASL extensions

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      While testing OAuth for Connect an issue surfaced where authentication that was successful initially fails during token refresh. This appears to be due to missing SASL extensions on refresh, though those extensions were present on initial authentication.

      During token refresh, the Kafka client adds and removes any SASL extensions. If a refresh is attempted during the window when the extensions are not present in the subject, the refresh fails with the following error:

      [2022-04-11 20:33:43,250] INFO [AdminClient clientId=adminclient-8] Failed authentication with <host>/<IP> (Authentication failed: 1 extensions are invalid! They are: xxx: Authentication failed) (org.apache.kafka.common.network.Selector)

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            kirktrue Kirk True
            kirktrue Kirk True
            Stanislav Kozlovski Stanislav Kozlovski
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment