public class OAuthBearerLoginCallbackHandler extends Object implements AuthenticateCallbackHandler
OAuthBearerLoginCallbackHandler
is an AuthenticateCallbackHandler
that
accepts OAuthBearerTokenCallback
and SaslExtensionsCallback
callbacks to
perform the steps to request a JWT from an OAuth/OIDC provider using the
clientcredentials
. This grant type is commonly used for non-interactive
"service accounts" where there is no user available to interactively supply credentials.
The OAuthBearerLoginCallbackHandler
is used on the client side to retrieve a JWT
and the OAuthBearerValidatorCallbackHandler
is used on the broker to validate the JWT
that was sent to it by the client to allow access. Both the brokers and clients will need to
be configured with their appropriate callback handlers and respective configuration for OAuth
functionality to work.
Note that while this callback handler class must be specified for a Kafka client that wants to use OAuth functionality, in the case of OAuth-based inter-broker communication, the callback handler must be used on the Kafka broker side as well.
This AuthenticateCallbackHandler
is enabled by specifying its class name in the Kafka
configuration. For client use, specify the class name in the
SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS
configuration like so:
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
If using OAuth login on the broker side (for inter-broker communication), the callback handler
class will be specified with a listener-based property:
listener.name.
like so:
listener.name.
The Kafka configuration must also include JAAS configuration which includes the following OAuth-specific options:
clientId
OAuth client ID (required)clientSecret
OAuth client secret (required)scope
OAuth scope (optional)
The JAAS configuration can also include any SSL options that are needed. The configuration
options are the same as those specified by the configuration in
SslConfigs.addClientSslSupport(ConfigDef)
.
Here's an example of the JAAS configuration for a Kafka client:
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
clientId="foo" \
clientSecret="bar" \
scope="baz" \
ssl.protocol="SSL" ;
The configuration option
SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL
is also required in order for the client to contact the OAuth/OIDC provider. For example:
sasl.oauthbearer.token.endpoint.url=https://example.com/oauth2/v1/token
Please see the OAuth/OIDC providers documentation for the token endpoint URL.
The following is a list of all the configuration options that are available for the login callback handler:
SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS
SaslConfigs.SASL_LOGIN_CONNECT_TIMEOUT_MS
SaslConfigs.SASL_LOGIN_READ_TIMEOUT_MS
SaslConfigs.SASL_LOGIN_RETRY_BACKOFF_MS
SaslConfigs.SASL_LOGIN_RETRY_BACKOFF_MAX_MS
SaslConfigs.SASL_JAAS_CONFIG
SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL
SaslConfigs.SASL_OAUTHBEARER_SCOPE_CLAIM_NAME
SaslConfigs.SASL_OAUTHBEARER_SUB_CLAIM_NAME
Modifier and Type | Field and Description |
---|---|
static String |
CLIENT_ID_CONFIG |
static String |
CLIENT_ID_DOC |
static String |
CLIENT_SECRET_CONFIG |
static String |
CLIENT_SECRET_DOC |
static String |
SCOPE_CONFIG |
static String |
SCOPE_DOC |
Constructor and Description |
---|
OAuthBearerLoginCallbackHandler() |
Modifier and Type | Method and Description |
---|---|
void |
close()
Closes this instance.
|
void |
configure(Map<String,?> configs,
String saslMechanism,
List<AppConfigurationEntry> jaasConfigEntries)
Configures this callback handler for the specified SASL mechanism.
|
void |
handle(Callback[] callbacks) |
public static final String CLIENT_ID_CONFIG
public static final String CLIENT_SECRET_CONFIG
public static final String SCOPE_CONFIG
public static final String CLIENT_ID_DOC
public static final String CLIENT_SECRET_DOC
public static final String SCOPE_DOC
public void configure(Map<String,?> configs, String saslMechanism, List<AppConfigurationEntry> jaasConfigEntries)
AuthenticateCallbackHandler
configure
in interface AuthenticateCallbackHandler
configs
- Key-value pairs containing the parsed configuration options of
the client or broker. Note that these are the Kafka configuration options
and not the JAAS configuration options. JAAS config options may be obtained
from `jaasConfigEntries` for callbacks which obtain some configs from the
JAAS configuration. For configs that may be specified as both Kafka config
as well as JAAS config (e.g. sasl.kerberos.service.name), the configuration
is treated as invalid if conflicting values are provided.saslMechanism
- Negotiated SASL mechanism. For clients, this is the SASL
mechanism configured for the client. For brokers, this is the mechanism
negotiated with the client and is one of the mechanisms enabled on the broker.jaasConfigEntries
- JAAS configuration entries from the JAAS login context.
This list contains a single entry for clients and may contain more than
one entry for brokers if multiple mechanisms are enabled on a listener using
static JAAS configuration where there is no mapping between mechanisms and
login module entries. In this case, callback handlers can use the login module in
`jaasConfigEntries` to identify the entry corresponding to `saslMechanism`.
Alternatively, dynamic JAAS configuration option
SaslConfigs.SASL_JAAS_CONFIG
may be
configured on brokers with listener and mechanism prefix, in which case
only the configuration entry corresponding to `saslMechanism` will be provided
in `jaasConfigEntries`.public void close()
AuthenticateCallbackHandler
close
in interface AuthenticateCallbackHandler
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
handle
in interface CallbackHandler
IOException
UnsupportedCallbackException