Class ClientCredentialsJwtRetriever

java.lang.Object
org.apache.kafka.common.security.oauthbearer.ClientCredentialsJwtRetriever
All Implemented Interfaces:
Closeable, AutoCloseable, org.apache.kafka.common.security.oauthbearer.internals.secured.OAuthBearerConfigurable, JwtRetriever
public class ClientCredentialsJwtRetriever extends Object implements JwtRetriever
ClientCredentialsJwtRetriever is a JwtRetriever that performs the steps to request a JWT from an OAuth/OIDC identity provider using the client_credentials grant type. This grant type is commonly used for non-interactive "service accounts" where there is no user available to interactively supply credentials.

This JwtRetriever is enabled by specifying its class name in the Kafka configuration. For client use, specify the class name in the sasl.oauthbearer.jwt.retriever.class configuration like so: 

 sasl.oauthbearer.jwt.retriever.class=org.apache.kafka.common.security.oauthbearer.ClientCredentialsJwtRetriever

If using this JwtRetriever on the broker side (for inter-broker communication), the configuration should be specified with a listener-based property: 

 listener.name.<listener name>.oauthbearer.sasl.oauthbearer.jwt.retriever.class=org.apache.kafka.common.security.oauthbearer.ClientCredentialsJwtRetriever

The ClientCredentialsJwtRetriever also uses the following configuration:

  • sasl.oauthbearer.client.credentials.client.id
  • sasl.oauthbearer.client.credentials.client.secret
  • sasl.oauthbearer.scope
  • sasl.oauthbearer.token.endpoint.url
Please refer to the official Apache Kafka documentation for more information on these, and related configuration.

Previous versions of this implementation used sasl.jaas.config to specify attributes such as clientId, clientSecret, and scope. These will still work, but if the configuration for each of these is specified, it will be used instead of the JAAS option.

Here's an example of the JAAS configuration for a Kafka client: 

 sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required ;

 sasl.oauthbearer.client.credentials.client.id=jdoe
 sasl.oauthbearer.client.credentials.client.secret=$3cr3+
 sasl.oauthbearer.jwt.retriever.class=org.apache.kafka.common.security.oauthbearer.ClientCredentialsJwtRetriever
 sasl.oauthbearer.scope=my-application-scope
 sasl.oauthbearer.token.endpoint.url=https://example.com/oauth2/v1/token

  • Constructor Details

    • ClientCredentialsJwtRetriever

      public ClientCredentialsJwtRetriever()

  • Method Details

    • configure

      public void configure(Map<String,?> configs, String saslMechanism, List<AppConfigurationEntry> jaasConfigEntries)
      Specified by:
      configure in interface org.apache.kafka.common.security.oauthbearer.internals.secured.OAuthBearerConfigurable

    • retrieve

      public String retrieve() throws JwtRetrieverException
      Description copied from interface: JwtRetriever
      Retrieves a JWT access token in its serialized three-part form. The implementation is free to determine how it should be retrieved but should not perform validation on the result. Note: This is a blocking function and callers should be aware that the implementation may be communicating over a network, with the file system, coordinating threads, etc. The facility in the LoginModule from which this is ultimately called does not provide an asynchronous approach.
      Specified by:
      retrieve in interface JwtRetriever
      Returns:
      Non-null JWT access token string
      Throws:
      JwtRetrieverException - Thrown on errors related to IO during retrieval

    • close

      public void close() throws IOException
      Specified by:
      close in interface AutoCloseable
      Specified by:
      close in interface Closeable
      Specified by:
      close in interface org.apache.kafka.common.security.oauthbearer.internals.secured.OAuthBearerConfigurable
      Throws:
      IOException