Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] JWT bearer grant type support #18912

Draft
wants to merge 35 commits into
base: trunk
Choose a base branch
from
Draft

[WIP] JWT bearer grant type support #18912

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
defadbe
First pass at refactoring
kirktrue Feb 14, 2025
9f2b079
More refactoring
kirktrue Feb 14, 2025
06119da
Updates
kirktrue Feb 15, 2025
7aceaa5
Update AuthenticateCallbackHandler.java
kirktrue Feb 15, 2025
0d7554b
Update AuthenticateCallbackHandler.java
kirktrue Feb 15, 2025
c410fc3
Update AuthenticateCallbackHandler.java
kirktrue Feb 15, 2025
62d96f7
Update AuthenticateCallbackHandler.java
kirktrue Feb 15, 2025
4102c20
Moving things around more
kirktrue Feb 15, 2025
56ed3a9
Updates
kirktrue Feb 15, 2025
04016ed
More updates
kirktrue Feb 15, 2025
7b04655
More updates
kirktrue Feb 15, 2025
bbebbce
Moved internals back to internals for now
kirktrue Feb 18, 2025
88d187d
Moved more code back to internals
kirktrue Feb 18, 2025
c16eaaf
Fixed refresh tests
kirktrue Feb 19, 2025
3ffbb13
Fixed the remaining broken unit test
kirktrue Feb 19, 2025
8a18ef1
First pass at incorporating Zach's JWT bearer code
kirktrue Feb 19, 2025
9026358
First pass at hooking the JWT bearer retriever into the rest of the code
kirktrue Feb 19, 2025
c58d27e
Reverted FileAccessTokenRetriever name change
kirktrue Feb 19, 2025
4939c8a
Rename to revert to original code
kirktrue Feb 19, 2025
0ff639b
More refactoring
kirktrue Feb 19, 2025
15582d0
Refactoring
kirktrue Feb 19, 2025
58ea79f
Clean up of Javadoc
kirktrue Feb 19, 2025
bb5f1c0
Updated formatting
kirktrue Feb 19, 2025
a88b553
Incorporating jwt-bearer configuration and JAAS options
kirktrue Feb 19, 2025
247a75d
More refactoring
kirktrue Feb 19, 2025
038343a
More refactoring
kirktrue Feb 19, 2025
14c8746
spotlessApply fixups
kirktrue Feb 20, 2025
f0113a1
Fixed out-of-order final static and allowing Jackson annotations
kirktrue Feb 20, 2025
a6db62c
The great refactoring of OAuthCompatibilityTool
kirktrue Feb 20, 2025
a7c31a5
Update AccessTokenRetriever.java
kirktrue Feb 20, 2025
07dfaee
Update ValidatorAccessTokenValidator.java
kirktrue Feb 20, 2025
a65fbc1
Merge branch 'apache:trunk' into KAFKA-18573-add-jwt-bearer-grant-type
kirktrue Feb 21, 2025
df66e1c
Update AccessTokenRetriever.java
kirktrue Feb 21, 2025
cf1abbf
Renamed ValidateException to InvalidJwtException
kirktrue Feb 21, 2025
7f62a08
Minor refactoring of class and method names
kirktrue Feb 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Moving things around more
  • Loading branch information
@kirktrue
kirktrue committed Feb 15, 2025
commit 4102c20b5d5a763845fe56eecbed60310d352061
3 changes: 1 addition & 2 deletions clients/src/main/java/org/apache/kafka/common/security/oauthbearer/AccessTokenRetriever.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@

package org.apache.kafka.common.security.oauthbearer;

import org.apache.kafka.common.security.auth.AuthenticationConfigurable;
import org.apache.kafka.common.security.oauthbearer.internals.secured.FileAccessTokenRetriever;
import org.apache.kafka.common.security.oauthbearer.internals.secured.HttpAccessTokenRetriever;

Expand All @@ -37,7 +36,7 @@
* @see FileAccessTokenRetriever
*/

public interface AccessTokenRetriever extends AuthenticationConfigurable {
public interface AccessTokenRetriever extends OAuthBearerConfigurable {

/**
* Retrieves a JWT access token in its serialized three-part form. The implementation
Expand Down
4 changes: 1 addition & 3 deletions clients/src/main/java/org/apache/kafka/common/security/oauthbearer/AccessTokenValidator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,7 @@

package org.apache.kafka.common.security.oauthbearer;

import org.apache.kafka.common.security.auth.AuthenticationConfigurable;
import org.apache.kafka.common.security.oauthbearer.internals.secured.ValidateException;
import org.apache.kafka.common.security.oauthbearer.internals.secured.DefaultBrokerAccessTokenValidator;

/**
* An instance of <code>AccessTokenValidator</code> acts as a function object that, given an access
Expand Down Expand Up @@ -48,7 +46,7 @@
* to validate the token's contents and verify the signature
*/

public interface AccessTokenValidator extends AuthenticationConfigurable {
public interface AccessTokenValidator extends OAuthBearerConfigurable {

/**
* Accepts an OAuth JWT access token in base-64 encoded format, validates, and returns an
Expand Down
3 changes: 1 addition & 2 deletions ...n/java/org/apache/kafka/common/security/oauthbearer/CloseableVerificationKeyResolver.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@

package org.apache.kafka.common.security.oauthbearer;

import org.apache.kafka.common.security.auth.AuthenticationConfigurable;
import org.jose4j.keys.resolvers.VerificationKeyResolver;

import java.io.Closeable;
Expand All @@ -34,6 +33,6 @@
* @see Closeable
*/

public interface CloseableVerificationKeyResolver extends VerificationKeyResolver, AuthenticationConfigurable {
public interface CloseableVerificationKeyResolver extends VerificationKeyResolver, OAuthBearerConfigurable {

}
3 changes: 2 additions & 1 deletion ...c/main/java/org/apache/kafka/common/security/oauthbearer/DefaultAccessTokenRetriever.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,14 +21,15 @@
import org.apache.kafka.common.security.oauthbearer.internals.secured.ConfigurationUtils;
import org.apache.kafka.common.security.oauthbearer.internals.secured.FileAccessTokenRetriever;

import javax.security.auth.login.AppConfigurationEntry;
import java.io.IOException;
import java.net.URL;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;

import javax.security.auth.login.AppConfigurationEntry;

import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL;

public class DefaultAccessTokenRetriever implements AccessTokenRetriever {
Expand Down
19 changes: 12 additions & 7 deletions ...ed/DefaultBrokerAccessTokenValidator.java → ...er/DefaultBrokerAccessTokenValidator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,20 @@
* limitations under the License.
*/

package org.apache.kafka.common.security.oauthbearer.internals.secured;
package org.apache.kafka.common.security.oauthbearer;

import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.oauthbearer.AccessTokenValidator;
import org.apache.kafka.common.security.oauthbearer.CloseableVerificationKeyResolver;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;

import org.apache.kafka.common.security.oauthbearer.internals.secured.BasicOAuthBearerToken;
import org.apache.kafka.common.security.oauthbearer.internals.secured.ClaimValidationUtils;
import org.apache.kafka.common.security.oauthbearer.internals.secured.ConfigurationUtils;
import org.apache.kafka.common.security.oauthbearer.internals.secured.DelegatingVerificationKeyResolver;
import org.apache.kafka.common.security.oauthbearer.internals.secured.JaasOptionsUtils;
import org.apache.kafka.common.security.oauthbearer.internals.secured.RefreshingHttpsJwksVerificationKeyResolver;
import org.apache.kafka.common.security.oauthbearer.internals.secured.SerializedJwt;
import org.apache.kafka.common.security.oauthbearer.internals.secured.ValidateException;
import org.apache.kafka.common.utils.Time;
import org.apache.kafka.common.utils.Utils;

import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
Expand All @@ -38,8 +43,6 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.security.auth.login.AppConfigurationEntry;
import java.io.IOException;
import java.security.Key;
import java.util.Collection;
import java.util.Collections;
Expand All @@ -50,6 +53,8 @@
import java.util.Set;
import java.util.concurrent.atomic.AtomicInteger;

import javax.security.auth.login.AppConfigurationEntry;

import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_CLOCK_SKEW_SECONDS;
import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_EXPECTED_AUDIENCE;
import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_EXPECTED_ISSUER;
Expand Down
3 changes: 2 additions & 1 deletion .../java/org/apache/kafka/common/security/oauthbearer/DefaultClientAccessTokenValidator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,14 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.security.auth.login.AppConfigurationEntry;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;

import javax.security.auth.login.AppConfigurationEntry;

import static org.apache.kafka.common.config.SaslConfigs.DEFAULT_SASL_OAUTHBEARER_SCOPE_CLAIM_NAME;
import static org.apache.kafka.common.config.SaslConfigs.DEFAULT_SASL_OAUTHBEARER_SUB_CLAIM_NAME;
import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_SCOPE_CLAIM_NAME;
Expand Down
34 changes: 0 additions & 34 deletions clients/src/main/java/org/apache/kafka/common/security/oauthbearer/Initable.java
View file
Open in desktop

This file was deleted.

7 changes: 4 additions & 3 deletions ...rity/auth/AuthenticationConfigurable.java → .../oauthbearer/OAuthBearerConfigurable.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,22 +15,23 @@
* limitations under the License.
*/

package org.apache.kafka.common.security.auth;
package org.apache.kafka.common.security.oauthbearer;

import org.apache.kafka.common.Configurable;

import javax.security.auth.login.AppConfigurationEntry;
import java.io.Closeable;
import java.util.List;
import java.util.Map;

import javax.security.auth.login.AppConfigurationEntry;

/**
* Analogue to {@link Configurable} for SASL-based authentication.
*
* Any resources created in {@link #configure(Map, String, List)} should be cleaned up and released in
* the call to {@link #close()}.
*/
public interface AuthenticationConfigurable extends Closeable {
public interface OAuthBearerConfigurable extends Closeable {

/**
* Configures this object for the specified SASL mechanism.
Expand Down
9 changes: 4 additions & 5 deletions ...nts/src/main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerHttpClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,11 @@

package org.apache.kafka.common.security.oauthbearer;

import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.security.oauthbearer.internals.secured.Retry;
import org.apache.kafka.common.security.oauthbearer.internals.secured.UnretryableException;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSocketFactory;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
Expand All @@ -35,7 +32,9 @@
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ExecutionException;

import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSocketFactory;

/**
* <code>OAuthBearerHttpClient</code> is a lightweight client that can be used by callback handlers to
Expand Down
29 changes: 15 additions & 14 deletions ...in/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,27 +22,28 @@
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.SaslConfigs;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.AuthenticationConfigurable;
import org.apache.kafka.common.security.auth.SaslExtensions;
import org.apache.kafka.common.security.auth.SaslExtensionsCallback;
import org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerClientInitialResponse;
import org.apache.kafka.common.security.oauthbearer.internals.secured.ClientCredentialsAccessTokenRetriever;
import org.apache.kafka.common.security.oauthbearer.internals.secured.DefaultBrokerAccessTokenValidator;
import org.apache.kafka.common.security.oauthbearer.internals.secured.JaasOptionsUtils;
import org.apache.kafka.common.security.oauthbearer.internals.secured.ValidateException;
import org.apache.kafka.common.utils.Utils;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.sasl.SaslException;
import java.io.Closeable;
import java.io.IOException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.sasl.SaslException;

import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL;

/**
Expand Down Expand Up @@ -148,7 +149,9 @@
* </p>
*/

public class OAuthBearerLoginCallbackHandler implements AuthenticateCallbackHandler {
public class OAuthBearerLoginCallbackHandler implements AuthenticateCallbackHandler, Closeable {

private static final Logger log = LoggerFactory.getLogger(OAuthBearerLoginCallbackHandler.class);

public static final String CLIENT_ID_CONFIG = "clientId";
public static final String CLIENT_SECRET_CONFIG = "clientSecret";
Expand All @@ -172,8 +175,6 @@ public class OAuthBearerLoginCallbackHandler implements AuthenticateCallbackHand
"OAuth \"scope\". If so, the " + SCOPE_CONFIG + " is used to provide the value to " +
"include with the login request.";

private static final Logger log = LoggerFactory.getLogger(OAuthBearerLoginCallbackHandler.class);

private static final String EXTENSION_PREFIX = "extension_";

protected Map<String, Object> moduleOptions;
Expand Down Expand Up @@ -285,11 +286,11 @@ protected void checkInitialized() {
}

@SuppressWarnings("unchecked")
private <T extends AuthenticationConfigurable> T newInstance(String configName,
Class<T> defaultClazz,
Map<String, ?> configs,
String saslMechanism,
List<AppConfigurationEntry> jaasConfigEntries) {
private <T extends OAuthBearerConfigurable> T newInstance(String configName,
Class<T> defaultClazz,
Map<String, ?> configs,
String saslMechanism,
List<AppConfigurationEntry> jaasConfigEntries) {
Class<T> clazz = (Class<T>) configs.get(configName);

if (clazz == null)
Expand Down
17 changes: 8 additions & 9 deletions ...ava/org/apache/kafka/common/security/oauthbearer/OAuthBearerValidatorCallbackHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,13 @@
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.SaslConfigs;
import org.apache.kafka.common.security.auth.AuthenticateCallbackHandler;
import org.apache.kafka.common.security.auth.AuthenticationConfigurable;
import org.apache.kafka.common.security.oauthbearer.internals.secured.ValidateException;
import org.apache.kafka.common.security.oauthbearer.internals.secured.DefaultBrokerAccessTokenValidator;

import org.apache.kafka.common.utils.Utils;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import java.io.Closeable;
import java.io.IOException;
import java.util.List;
import java.util.Map;
Expand Down Expand Up @@ -95,7 +94,7 @@
* </p>
*/

public class OAuthBearerValidatorCallbackHandler implements AuthenticateCallbackHandler {
public class OAuthBearerValidatorCallbackHandler implements AuthenticateCallbackHandler, Closeable {

private static final Logger log = LoggerFactory.getLogger(OAuthBearerValidatorCallbackHandler.class);

Expand Down Expand Up @@ -167,11 +166,11 @@ private void checkInitialized() {
}

@SuppressWarnings("unchecked")
private <T extends AuthenticationConfigurable> T newInstance(String configName,
Class<T> defaultClazz,
Map<String, ?> configs,
String saslMechanism,
List<AppConfigurationEntry> jaasConfigEntries) {
private <T extends OAuthBearerConfigurable> T newInstance(String configName,
Class<T> defaultClazz,
Map<String, ?> configs,
String saslMechanism,
List<AppConfigurationEntry> jaasConfigEntries) {
Class<T> clazz = (Class<T>) configs.get(configName);

if (clazz == null)
Expand Down
5 changes: 2 additions & 3 deletions .../common/security/oauthbearer/internals/secured/ClientCredentialsAccessTokenRetriever.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,17 +21,16 @@
import org.apache.kafka.common.security.oauthbearer.AccessTokenRetriever;
import org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler;
import org.apache.kafka.common.utils.Utils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.security.auth.login.AppConfigurationEntry;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.HashMap;
import java.util.List;
import java.util.Map;

import javax.security.auth.login.AppConfigurationEntry;

import static org.apache.kafka.common.config.SaslConfigs.DEFAULT_SASL_OAUTHBEARER_HEADER_URLENCODE;
import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_HEADER_URLENCODE;
import static org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.CLIENT_ID_CONFIG;
Expand Down
6 changes: 3 additions & 3 deletions ...afka/common/security/oauthbearer/internals/secured/DelegatingVerificationKeyResolver.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,20 +19,20 @@

import org.apache.kafka.common.security.oauthbearer.CloseableVerificationKeyResolver;
import org.apache.kafka.common.utils.Time;

import org.apache.kafka.common.utils.Utils;

import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.lang.UnresolvableKeyException;

import javax.security.auth.login.AppConfigurationEntry;
import java.io.IOException;
import java.net.URL;
import java.security.Key;
import java.util.List;
import java.util.Locale;
import java.util.Map;

import javax.security.auth.login.AppConfigurationEntry;

import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_URL;

public class DelegatingVerificationKeyResolver implements CloseableVerificationKeyResolver {
Expand Down
Loading
Loading