You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Rajini Sivaram (JIRA)" <ji...@apache.org> on 2018/10/01 08:25:00 UTC
[jira] [Created] (KAFKA-7462) Kafka brokers cannot provide OAuth
without a token
Rajini Sivaram created KAFKA-7462:
-------------------------------------
Summary: Kafka brokers cannot provide OAuth without a token
Key: KAFKA-7462
URL: https://issues.apache.org/jira/browse/KAFKA-7462
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 2.0.0
Reporter: Rajini Sivaram
Fix For: 2.1.0
Like with all other SASL mechanisms, OAUTHBEARER uses the same LoginModule class on both server-side and the client-side. But unlike PLAIN or SCRAM where client credentials are optional, OAUTHBEARER requires always requires a token. So while with PLAIN/SCRAM, broker only needs to specify client credentials if the mechanism is used for inter-broker communication, with OAuth, broker requires client credentials even if OAuth is not used for inter-broker communication. This is an issue with the default `OAuthBearerUnsecuredLoginCallbackHandler` used on both client-side and server-side. But more critically, it is an issue with `OAuthBearerLoginModule` which doesn't commit if token == null (commit() returns false).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)