You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Rajini Sivaram (Jira)" <ji...@apache.org> on 2023/02/06 09:58:00 UTC

[jira] [Created] (KAFKA-14676) Token endpoint URL used for OIDC cannot be set on the JAAS config

Rajini Sivaram created KAFKA-14676:
--------------------------------------

             Summary: Token endpoint URL used for OIDC cannot be set on the JAAS config
                 Key: KAFKA-14676
                 URL: https://issues.apache.org/jira/browse/KAFKA-14676
             Project: Kafka
          Issue Type: Bug
          Components: security
    Affects Versions: 3.3.2, 3.2.3, 3.1.2, 3.4.0
            Reporter: Rajini Sivaram
            Assignee: Rajini Sivaram


Kafka allows multiple clients within a JVM to use different SASL configurations by configuring the JAAS configuration in `sasl.jaas.config` instead of the JVM-wide system property. For SASL login, we reuse logins within a JVM by caching logins indexed by their sasl.jaas.config. This relies on login configs being overridable using `sasl.jaas.config`. 

KIP-768 ([https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575)] added support for OIDC for SASL/OAUTHBEARER. The token endpoint used to acquire tokens can currently only be configured using the Kafka config `sasl.oauthbearer.token.endpoint.url`. This prevents different clients within a JVM from using different URLs. We need to either provide a way to override the URL within `sasl.jaas.config` or include more of the client configs in the LoginMetadata used as key for cached logins.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)