You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Rajini Sivaram (JIRA)" <ji...@apache.org> on 2018/07/19 12:29:00 UTC

[jira] [Updated] (KAFKA-7182) SASL/OAUTHBEARER client response is missing %x01 separators

     [ https://issues.apache.org/jira/browse/KAFKA-7182?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Rajini Sivaram updated KAFKA-7182:
----------------------------------
    Priority: Blocker  (was: Minor)

> SASL/OAUTHBEARER client response is missing %x01 separators
> -----------------------------------------------------------
>
>                 Key: KAFKA-7182
>                 URL: https://issues.apache.org/jira/browse/KAFKA-7182
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients
>    Affects Versions: 2.0.0
>            Reporter: Ron Dagostino
>            Assignee: Ron Dagostino
>            Priority: Blocker
>              Labels: pull-request-available
>
> The format of the SASL/OAUTHBEARER client response is defined in [RFC 7628 Section 3.1|https://tools.ietf.org/html/rfc7628#section-3.1] as follows:
> {noformat}
>      kvsep          = %x01
>      key            = 1*(ALPHA)
>      value          = *(VCHAR / SP / HTAB / CR / LF )
>      kvpair         = key "=" value kvsep
>      client-resp    = (gs2-header kvsep *kvpair kvsep) / kvsep
> {noformat}
> ;;gs2-header = See [RFC 5801 (Section 4)|https://tools.ietf.org/html/rfc5801#section-4]
> The SASL/OAUTHBEARER client response as currently implemented in OAuthBearerSaslClient sends the valid gs2-header "n,," but then sends the "auth" key and value immediately after it, like this:
> {code:java}
> String.format("n,,auth=Bearer %s", callback.token().value())
> {code}
> This does not conform to the specification because there is no %x01 after the gs2-header, no %x01 after the auth value, and no terminating %x01.  The code should instead be as follows:
> {code:java}
> String.format("n,,\u0001auth=Bearer %s\u0001\u0001", callback.token().value())
> {code}
> Similarly, the parsing of the client response in OAuthBearerSaslServer, which currently allows the malformed text, must also change.
> *This should be fixed prior to the initial release of the SASL/OAUTHBEARER code in 2.0.0 to prevent compatibility problems.*



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)