Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-7462

Kafka brokers cannot provide OAuth without a token

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.0
    • Fix Version/s: 2.1.0
    • Component/s: security
    • Labels:
      None

      Description

      Like with all other SASL mechanisms, OAUTHBEARER uses the same LoginModule class on both  server-side and the client-side. But unlike PLAIN or SCRAM where client credentials are optional, OAUTHBEARER requires always requires a token. So while with PLAIN/SCRAM, broker only needs to specify client credentials if the mechanism is used for inter-broker communication, with OAuth, broker requires client credentials even if OAuth is not used for inter-broker communication. This is an issue with the default `OAuthBearerUnsecuredLoginCallbackHandler` used on both client-side and server-side. But more critically, it is an issue with `OAuthBearerLoginModule` which doesn't commit if token == null (commit() returns false).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rsivaram Rajini Sivaram
                Reporter:
                rsivaram Rajini Sivaram
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: