You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "Rajini Sivaram (JIRA)" <ji...@apache.org> on 2018/10/01 08:25:00 UTC

[jira] [Created] (KAFKA-7462) Kafka brokers cannot provide OAuth without a token

Rajini Sivaram created KAFKA-7462:
-------------------------------------

             Summary: Kafka brokers cannot provide OAuth without a token
                 Key: KAFKA-7462
                 URL: https://issues.apache.org/jira/browse/KAFKA-7462
             Project: Kafka
          Issue Type: Bug
          Components: security
    Affects Versions: 2.0.0
            Reporter: Rajini Sivaram
             Fix For: 2.1.0


Like with all other SASL mechanisms, OAUTHBEARER uses the same LoginModule class on both  server-side and the client-side. But unlike PLAIN or SCRAM where client credentials are optional, OAUTHBEARER requires always requires a token. So while with PLAIN/SCRAM, broker only needs to specify client credentials if the mechanism is used for inter-broker communication, with OAuth, broker requires client credentials even if OAuth is not used for inter-broker communication. This is an issue with the default `OAuthBearerUnsecuredLoginCallbackHandler` used on both client-side and server-side. But more critically, it is an issue with `OAuthBearerLoginModule` which doesn't commit if token == null (commit() returns false).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)