org.apache.kafka.common.security.oauthbearer

Class OAuthBearerLoginCallbackHandler

java.lang.Object

org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler

All Implemented Interfaces:

CallbackHandler, AuthenticateCallbackHandler

Direct Known Subclasses:

OAuthBearerLoginCallbackHandler

public class OAuthBearerLoginCallbackHandler
extends Object
implements AuthenticateCallbackHandler

OAuthBearerLoginCallbackHandler is an AuthenticateCallbackHandler that accepts OAuthBearerTokenCallback and SaslExtensionsCallback callbacks to perform the steps to request a JWT from an OAuth/OIDC provider using the clientcredentials. This grant type is commonly used for non-interactive "service accounts" where there is no user available to interactively supply credentials.

The OAuthBearerLoginCallbackHandler is used on the client side to retrieve a JWT and the OAuthBearerValidatorCallbackHandler is used on the broker to validate the JWT that was sent to it by the client to allow access. Both the brokers and clients will need to be configured with their appropriate callback handlers and respective configuration for OAuth functionality to work.

Note that while this callback handler class must be specified for a Kafka client that wants to use OAuth functionality, in the case of OAuth-based inter-broker communication, the callback handler must be used on the Kafka broker side as well.

This AuthenticateCallbackHandler is enabled by specifying its class name in the Kafka configuration. For client use, specify the class name in the SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS configuration like so: sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler

If using OAuth login on the broker side (for inter-broker communication), the callback handler class will be specified with a listener-based property: listener.name..oauthbearer.sasl.login.callback.handler.class like so: listener.name..oauthbearer.sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler

The Kafka configuration must also include JAAS configuration which includes the following OAuth-specific options:

• clientIdOAuth client ID (required)
• clientSecretOAuth client secret (required)
• scopeOAuth scope (optional)

The JAAS configuration can also include any SSL options that are needed. The configuration options are the same as those specified by the configuration in SslConfigs.addClientSslSupport(ConfigDef).

Here's an example of the JAAS configuration for a Kafka client: sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ clientId="foo" \ clientSecret="bar" \ scope="baz" \ ssl.protocol="SSL" ;

The configuration option SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL is also required in order for the client to contact the OAuth/OIDC provider. For example: sasl.oauthbearer.token.endpoint.url=https://example.com/oauth2/v1/token Please see the OAuth/OIDC providers documentation for the token endpoint URL.

The following is a list of all the configuration options that are available for the login callback handler:

• SaslConfigs.SASL_LOGIN_CALLBACK_HANDLER_CLASS
• SaslConfigs.SASL_LOGIN_CONNECT_TIMEOUT_MS
• SaslConfigs.SASL_LOGIN_READ_TIMEOUT_MS
• SaslConfigs.SASL_LOGIN_RETRY_BACKOFF_MS
• SaslConfigs.SASL_LOGIN_RETRY_BACKOFF_MAX_MS
• SaslConfigs.SASL_JAAS_CONFIG
• SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL
• SaslConfigs.SASL_OAUTHBEARER_SCOPE_CLAIM_NAME
• SaslConfigs.SASL_OAUTHBEARER_SUB_CLAIM_NAME

Field Summary

Fields

Modifier and Type	Field and Description
static String	CLIENT_ID_CONFIG
static String	CLIENT_ID_DOC
static String	CLIENT_SECRET_CONFIG
static String	CLIENT_SECRET_DOC
static String	SCOPE_CONFIG
static String	SCOPE_DOC

Constructor Summary

Constructors

Constructor and Description
OAuthBearerLoginCallbackHandler()

Method Summary

Modifier and Type	Method and Description
void	close() Closes this instance.
void	configure(Map<String,?> configs, String saslMechanism, List<AppConfigurationEntry> jaasConfigEntries) Configures this callback handler for the specified SASL mechanism.
void	handle(Callback[] callbacks)
void	init(org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenRetriever accessTokenRetriever, org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator accessTokenValidator)

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

CLIENT_ID_CONFIG

public static final String CLIENT_ID_CONFIG

See Also:

Constant Field Values

CLIENT_SECRET_CONFIG

public static final String CLIENT_SECRET_CONFIG

See Also:

Constant Field Values

SCOPE_CONFIG

public static final String SCOPE_CONFIG

See Also:

Constant Field Values

CLIENT_ID_DOC

public static final String CLIENT_ID_DOC

See Also:

Constant Field Values

CLIENT_SECRET_DOC

public static final String CLIENT_SECRET_DOC

See Also:

Constant Field Values

SCOPE_DOC

public static final String SCOPE_DOC

See Also:

Constant Field Values

Constructor Detail

OAuthBearerLoginCallbackHandler

public OAuthBearerLoginCallbackHandler()

Method Detail

configure

public void configure(Map<String,?> configs,
                      String saslMechanism,
                      List<AppConfigurationEntry> jaasConfigEntries)

Description copied from interface: AuthenticateCallbackHandler

Configures this callback handler for the specified SASL mechanism.

Specified by:

configure in interface AuthenticateCallbackHandler

Parameters:

configs - Key-value pairs containing the parsed configuration options of the client or broker. Note that these are the Kafka configuration options and not the JAAS configuration options. JAAS config options may be obtained from `jaasConfigEntries` for callbacks which obtain some configs from the JAAS configuration. For configs that may be specified as both Kafka config as well as JAAS config (e.g. sasl.kerberos.service.name), the configuration is treated as invalid if conflicting values are provided.

saslMechanism - Negotiated SASL mechanism. For clients, this is the SASL mechanism configured for the client. For brokers, this is the mechanism negotiated with the client and is one of the mechanisms enabled on the broker.

jaasConfigEntries - JAAS configuration entries from the JAAS login context. This list contains a single entry for clients and may contain more than one entry for brokers if multiple mechanisms are enabled on a listener using static JAAS configuration where there is no mapping between mechanisms and login module entries. In this case, callback handlers can use the login module in `jaasConfigEntries` to identify the entry corresponding to `saslMechanism`. Alternatively, dynamic JAAS configuration option SaslConfigs.SASL_JAAS_CONFIG may be configured on brokers with listener and mechanism prefix, in which case only the configuration entry corresponding to `saslMechanism` will be provided in `jaasConfigEntries`.

init

public void init(org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenRetriever accessTokenRetriever,
                 org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator accessTokenValidator)

close

public void close()

Description copied from interface: AuthenticateCallbackHandler

Closes this instance.

Specified by:

close in interface AuthenticateCallbackHandler

handle

public void handle(Callback[] callbacks)
            throws IOException,
                   UnsupportedCallbackException

Specified by:

handle in interface CallbackHandler

Throws:

IOException

UnsupportedCallbackException