public class OAuthBearerValidatorCallbackHandler extends Object implements AuthenticateCallbackHandler
OAuthBearerValidatorCallbackHandler
is an AuthenticateCallbackHandler
that
accepts OAuthBearerValidatorCallback
and OAuthBearerExtensionsValidatorCallback
callbacks to implement OAuth/OIDC validation. This callback handler is intended only to be used
on the Kafka broker side as it will receive a OAuthBearerValidatorCallback
that includes
the JWT provided by the Kafka client. That JWT is validated in terms of format, expiration,
signature, and audience and issuer (if desired). This callback handler is the broker side of the
OAuth functionality, whereas OAuthBearerLoginCallbackHandler
is used by clients.
This AuthenticateCallbackHandler
is enabled in the broker configuration by setting the
BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS
like so:
listener.name.
The JAAS configuration for OAuth is also needed. If using OAuth for inter-broker communication,
the options are those specified in OAuthBearerLoginCallbackHandler
.
The configuration option
SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_URL
is also required in order to contact the OAuth/OIDC provider to retrieve the JWKS for use in
JWT signature validation. For example:
listener.name.
Please see the OAuth/OIDC providers documentation for the JWKS endpoint URL.
The following is a list of all the configuration options that are available for the broker validation callback handler:
BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS
SaslConfigs.SASL_JAAS_CONFIG
SaslConfigs.SASL_OAUTHBEARER_CLOCK_SKEW_SECONDS
SaslConfigs.SASL_OAUTHBEARER_EXPECTED_AUDIENCE
SaslConfigs.SASL_OAUTHBEARER_EXPECTED_ISSUER
SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_REFRESH_MS
SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_RETRY_BACKOFF_MAX_MS
SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_RETRY_BACKOFF_MS
SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_URL
SaslConfigs.SASL_OAUTHBEARER_SCOPE_CLAIM_NAME
SaslConfigs.SASL_OAUTHBEARER_SUB_CLAIM_NAME
Constructor and Description |
---|
OAuthBearerValidatorCallbackHandler() |
Modifier and Type | Method and Description |
---|---|
void |
close()
Closes this instance.
|
void |
configure(Map<String,?> configs,
String saslMechanism,
List<AppConfigurationEntry> jaasConfigEntries)
Configures this callback handler for the specified SASL mechanism.
|
void |
handle(Callback[] callbacks) |
void |
init(org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver verificationKeyResolver,
org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator accessTokenValidator) |
public void configure(Map<String,?> configs, String saslMechanism, List<AppConfigurationEntry> jaasConfigEntries)
AuthenticateCallbackHandler
configure
in interface AuthenticateCallbackHandler
configs
- Key-value pairs containing the parsed configuration options of
the client or broker. Note that these are the Kafka configuration options
and not the JAAS configuration options. JAAS config options may be obtained
from `jaasConfigEntries` for callbacks which obtain some configs from the
JAAS configuration. For configs that may be specified as both Kafka config
as well as JAAS config (e.g. sasl.kerberos.service.name), the configuration
is treated as invalid if conflicting values are provided.saslMechanism
- Negotiated SASL mechanism. For clients, this is the SASL
mechanism configured for the client. For brokers, this is the mechanism
negotiated with the client and is one of the mechanisms enabled on the broker.jaasConfigEntries
- JAAS configuration entries from the JAAS login context.
This list contains a single entry for clients and may contain more than
one entry for brokers if multiple mechanisms are enabled on a listener using
static JAAS configuration where there is no mapping between mechanisms and
login module entries. In this case, callback handlers can use the login module in
`jaasConfigEntries` to identify the entry corresponding to `saslMechanism`.
Alternatively, dynamic JAAS configuration option
SaslConfigs.SASL_JAAS_CONFIG
may be
configured on brokers with listener and mechanism prefix, in which case
only the configuration entry corresponding to `saslMechanism` will be provided
in `jaasConfigEntries`.public void init(org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver verificationKeyResolver, org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator accessTokenValidator)
public void close()
AuthenticateCallbackHandler
close
in interface AuthenticateCallbackHandler
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
handle
in interface CallbackHandler
IOException
UnsupportedCallbackException