org.apache.kafka.common.security.oauthbearer

Class OAuthBearerExtensionsValidatorCallback

java.lang.Object

org.apache.kafka.common.security.oauthbearer.OAuthBearerExtensionsValidatorCallback

All Implemented Interfaces:

javax.security.auth.callback.Callback

public class OAuthBearerExtensionsValidatorCallback
extends java.lang.Object
implements javax.security.auth.callback.Callback

A Callback for use by the SaslServer implementation when it needs to validate the SASL extensions for the OAUTHBEARER mechanism Callback handlers should use the valid(String) method to communicate valid extensions back to the SASL server. Callback handlers should use the error(String, String) method to communicate validation errors back to the SASL Server. As per RFC-7628 (https://tools.ietf.org/html/rfc7628#section-3.1), unknown extensions must be ignored by the server. The callback handler implementation should simply ignore unknown extensions, not calling error(String, String) nor valid(String). Callback handlers should communicate other problems by raising an IOException.

The OAuth bearer token is provided in the callback for better context in extension validation. It is very important that token validation is done in its own OAuthBearerValidatorCallback irregardless of provided extensions, as they are inherently insecure.

Constructor Summary

Constructors

Constructor and Description
OAuthBearerExtensionsValidatorCallback(OAuthBearerToken token, SaslExtensions extensions)

Method Summary

Modifier and Type	Method and Description
void	error(java.lang.String invalidExtensionName, java.lang.String errorMessage) Set the error value for a specific extension key-value pair if validation has failed
java.util.Map<java.lang.String,java.lang.String>	ignoredExtensions()
SaslExtensions	inputExtensions()
java.util.Map<java.lang.String,java.lang.String>	invalidExtensions()
OAuthBearerToken	token()
void	valid(java.lang.String extensionName) Validates a specific extension in the original inputExtensions map
java.util.Map<java.lang.String,java.lang.String>	validatedExtensions()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

OAuthBearerExtensionsValidatorCallback

public OAuthBearerExtensionsValidatorCallback(OAuthBearerToken token,
                                              SaslExtensions extensions)

Method Detail

token

public OAuthBearerToken token()

Returns:

OAuthBearerToken the OAuth bearer token of the client

inputExtensions

public SaslExtensions inputExtensions()

Returns:

SaslExtensions consisting of the unvalidated extension names and values that were sent by the client

validatedExtensions

public java.util.Map<java.lang.String,java.lang.String> validatedExtensions()

Returns:

an unmodifiable Map consisting of the validated and recognized by the server extension names and values

invalidExtensions

public java.util.Map<java.lang.String,java.lang.String> invalidExtensions()

Returns:

An immutable Map consisting of the name->error messages of extensions which failed validation

ignoredExtensions

public java.util.Map<java.lang.String,java.lang.String> ignoredExtensions()

Returns:

An immutable Map consisting of the extensions that have neither been validated nor invalidated

valid

public void valid(java.lang.String extensionName)

Validates a specific extension in the original inputExtensions map

Parameters:

extensionName - - the name of the extension which was validated

error

public void error(java.lang.String invalidExtensionName,
                  java.lang.String errorMessage)

Set the error value for a specific extension key-value pair if validation has failed

Parameters:

invalidExtensionName - the mandatory extension name which caused the validation failure

errorMessage - error message describing why the validation failed