org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator

All Implemented Interfaces:: Closeable, AutoCloseable, org.apache.kafka.common.security.oauthbearer.internals.secured.OAuthBearerConfigurable, JwtValidator

public class BrokerJwtValidatorextends Object implements JwtValidator

BrokerJwtValidator is an implementation of JwtValidator that is used by the broker to perform more extensive validation of the JWT access token that is received from the client, but ultimately from posting the client credentials to the OAuth/OIDC provider's token endpoint.

The validation steps performed (primarily by the jose4j library) are:

Basic structural validation of the b64token value as defined in RFC 6750 Section 2.1
Basic conversion of the token into an in-memory data structure
Presence of scope, exp, subject, iss, and iat claims
Signature matching validation against the kid and those provided by the OAuth/OIDC provider's JWKS

Nested Class Summary
Nested Classes
Modifier and Type
Class
Description
static interface
BrokerJwtValidator.ClaimSupplier<T>
Field Summary
Fields inherited from interface org.apache.kafka.common.security.oauthbearer.JwtValidator
IAT_CLAIM_REQUIRED, JTI_CLAIM_REQUIRED
Constructor Summary
Constructors
Constructor
Description
BrokerJwtValidator()
A public, no-args constructor is necessary for instantiation via configuration.
Method Summary
Modifier and Type
Method
Description
void
configure(Map<String,?> configs, String saslMechanism, List<AppConfigurationEntry> jaasConfigEntries)

OAuthBearerToken
validate(String accessToken)
Accepts an OAuth JWT access token in base-64 encoded format, validates, and returns an OAuthBearerToken.
Methods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
Methods inherited from interface org.apache.kafka.common.security.oauthbearer.internals.secured.OAuthBearerConfigurable
close

Constructor Details
- BrokerJwtValidator
  public BrokerJwtValidator()
  A public, no-args constructor is necessary for instantiation via configuration.
Method Details
- configure
  public void configure(Map<String,?> configs, String saslMechanism, List<AppConfigurationEntry> jaasConfigEntries)
  Specified by:
  configure in interface org.apache.kafka.common.security.oauthbearer.internals.secured.OAuthBearerConfigurable
- validate
  public OAuthBearerToken validate(String accessToken) throws JwtValidatorException
  Accepts an OAuth JWT access token in base-64 encoded format, validates, and returns an OAuthBearerToken.
  Specified by:
  validate in interface JwtValidator
  Parameters:
  accessToken - Non-null JWT access token
  Returns:
  OAuthBearerToken
  Throws:
  JwtValidatorException - Thrown on errors performing validation of given token

Class BrokerJwtValidator

Nested Class Summary

Field Summary

Fields inherited from interface org.apache.kafka.common.security.oauthbearer.JwtValidator

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Methods inherited from interface org.apache.kafka.common.security.oauthbearer.internals.secured.OAuthBearerConfigurable

Constructor Details

BrokerJwtValidator

Method Details

configure

validate