Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-7182

SASL/OAUTHBEARER client response is missing %x01 separators

    XMLWordPrintableJSON

    Details

    • Flags:
      Important

      Description

      The format of the SASL/OAUTHBEARER client response is defined in RFC 7628 Section 3.1 as follows:

           kvsep          = %x01
           key            = 1*(ALPHA)
           value          = *(VCHAR / SP / HTAB / CR / LF )
           kvpair         = key "=" value kvsep
           client-resp    = (gs2-header kvsep *kvpair kvsep) / kvsep
      

      ;;gs2-header = See RFC 5801 (Section 4)

      The SASL/OAUTHBEARER client response as currently implemented in OAuthBearerSaslClient sends the valid gs2-header "n,," but then sends the "auth" key and value immediately after it, like this:

      String.format("n,,auth=Bearer %s", callback.token().value())
      

      This does not conform to the specification because there is no %x01 after the gs2-header, no %x01 after the auth value, and no terminating %x01. The code should instead be as follows:

      String.format("n,,\u0001auth=Bearer %s\u0001\u0001", callback.token().value())
      

      Similarly, the parsing of the client response in OAuthBearerSaslServer, which currently allows the malformed text, must also change.

      This should be fixed prior to the initial release of the SASL/OAUTHBEARER code in 2.0.0 to prevent compatibility problems.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rndgstn Ron Dagostino
                Reporter:
                rndgstn Ron Dagostino
                Reviewer:
                Rajini Sivaram
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: