You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "Kirk True (Jira)" <ji...@apache.org> on 2022/07/09 18:53:00 UTC

[jira] [Created] (KAFKA-14062) OAuth token refresh causes client authentication to fail

Kirk True created KAFKA-14062:
---------------------------------

             Summary: OAuth token refresh causes client authentication to fail
                 Key: KAFKA-14062
                 URL: https://issues.apache.org/jira/browse/KAFKA-14062
             Project: Kafka
          Issue Type: Bug
          Components: admin, clients, consumer, producer , security
    Affects Versions: 3.1.1, 3.2.0, 3.1.0, 3.3.0, 3.3
            Reporter: Kirk True
            Assignee: Kirk True
             Fix For: 3.1.2, 3.2.1


While testing OAuth for Connect an issue surfaced where authentication that was successful initially fails during token refresh. This appears to be due to missing SASL extensions on refresh, though those extensions were present on initial authentication.

During token refresh, the Kafka client adds and removes any SASL extensions. If a refresh is attempted during the window when the extensions are not present in the subject, the refresh fails with the following error:
{code:java}
[2022-04-11 20:33:43,250] INFO [AdminClient clientId=adminclient-8] Failed authentication with <host>/<IP> (Authentication failed: 1 extensions are invalid! They are: xxx: Authentication failed) (org.apache.kafka.common.network.Selector){code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)