You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Manikumar (Jira)" <ji...@apache.org> on 2022/07/27 11:17:00 UTC

[jira] [Resolved] (KAFKA-13730) OAuth access token validation fails if it does not contain the "sub" claim

     [ https://issues.apache.org/jira/browse/KAFKA-13730?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Manikumar resolved KAFKA-13730.
-------------------------------
    Fix Version/s: 3.4.0
       Resolution: Fixed

> OAuth access token validation fails if it does not contain the "sub" claim
> --------------------------------------------------------------------------
>
>                 Key: KAFKA-13730
>                 URL: https://issues.apache.org/jira/browse/KAFKA-13730
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients
>    Affects Versions: 3.1.0
>            Reporter: Daniel Fonai
>            Assignee: Kirk True
>            Priority: Minor
>             Fix For: 3.4.0
>
>
> Client authentication fails, when configured to use OAuth and the JWT access token does {*}not contain the sub claim{*}. This issue was discovered while testing Kafka integration with Ping Identity OAuth server. According to Ping's [documentation|https://apidocs.pingidentity.com/pingone/devguide/v1/api/#access-tokens-and-id-tokens]:
> {quote}sub – A string that specifies the identifier for the authenticated user. This claim is not present for client_credentials tokens.
> {quote}
> In this case Kafka broker rejects the token regardless of the [sasl.oauthbearer.sub.claim.name|https://kafka.apache.org/documentation/#brokerconfigs_sasl.oauthbearer.sub.claim.name] property value.
>  
> ----
>  
> Steps to reproduce:
> 1. Client configuration:
> {noformat}
> security.protocol=SASL_PLAINTEXT
> sasl.mechanism=OAUTHBEARER
> sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
> sasl.oauthbearer.token.endpoint.url=https://oauth.server.fqdn/token/endpoint
> sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required\
>  clientId="kafka-client"\
>  clientSecret="kafka-client-secret";
> sasl.oauthbearer.sub.claim.name=client_id # claim name for the principal to be extracted from, needed for client side validation too
> {noformat}
> 2. Broker configuration:
> {noformat}
> sasl.enabled.mechanisms=...,OAUTHBEARER
> listener.name.sasl_plaintext.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;
> listener.name.sasl_plaintext.oauthbearer.sasl.server.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler
> sasl.oauthbearer.jwks.endpoint.url=https://oauth.server.fqdn/jwks/endpoint
> sasl.oauthbearer.expected.audience=oauth-audience # based on OAuth server setup
> sasl.oauthbearer.sub.claim.name=client_id # claim name for the principal to be extracted from
> {noformat}
> 3. Try to perform some client operation:
> {noformat}
> kafka-topics --bootstrap-server `hostname`:9092 --list --command-config oauth-client.properties
> {noformat}
> Result:
> Client authentication fails due to invalid access token.
>  - client log:
> {noformat}
> [2022-03-11 16:21:20,461] ERROR [AdminClient clientId=adminclient-1] Connection to node -1 (localhost/127.0.0.1:9092) failed authentication due to: {"status":"invalid_token"} (org.apache.kafka.clients.NetworkClient)
> [2022-03-11 16:21:20,463] WARN [AdminClient clientId=adminclient-1] Metadata update failed due to authentication error (org.apache.kafka.clients.admin.internals.AdminMetadataManager)
> org.apache.kafka.common.errors.SaslAuthenticationException: {"status":"invalid_token"}
> Error while executing topic command : {"status":"invalid_token"}
> [2022-03-11 16:21:20,468] ERROR org.apache.kafka.common.errors.SaslAuthenticationException: {"status":"invalid_token"}
>  (kafka.admin.TopicCommand$)
> {noformat}
>  - broker log:
> {noformat}
> [2022-03-11 16:21:20,150] WARN Could not validate the access token: JWT (claims->{"client_id":"...","iss":"...","iat":1647012079,"exp":1647015679,"aud":[...],"env":"...","org":"..."}) rejected due to invalid claims or other invalid content. Additional details: [[14] No Subject (sub) claim is present.] (org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler)
> org.apache.kafka.common.security.oauthbearer.secured.ValidateException: Could not validate the access token: JWT (claims->{"client_id":"...","iss":"...","iat":1647012079,"exp":1647015679,"aud":[...],"env":"...","org":"..."}) rejected due to invalid claims or other invalid content. Additional details: [[14] No Subject (sub) claim is present.]
> 	at org.apache.kafka.common.security.oauthbearer.secured.ValidatorAccessTokenValidator.validate(ValidatorAccessTokenValidator.java:159)
> 	at org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler.handleValidatorCallback(OAuthBearerValidatorCallbackHandler.java:184)
> 	at org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler.handle(OAuthBearerValidatorCallbackHandler.java:169)
> 	at org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServer.process(OAuthBearerSaslServer.java:156)
> 	at org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServer.evaluateResponse(OAuthBearerSaslServer.java:101)
> 	at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:451)
> 	at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:280)
> 	at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:181)
> 	at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543)
> 	at org.apache.kafka.common.network.Selector.poll(Selector.java:481)
> 	at kafka.network.Processor.poll(SocketServer.scala:989)
> 	at kafka.network.Processor.run(SocketServer.scala:892)
> 	at java.lang.Thread.run(Thread.java:748)
> Caused by: org.jose4j.jwt.consumer.InvalidJwtException: JWT (claims->{"client_id":"...","iss":"...","iat":1647012079,"exp":1647015679,"aud":[...],"env":"...","org":"..."}) rejected due to invalid claims or other invalid content. Additional details: [[14] No Subject (sub) claim is present.]
> 	at org.jose4j.jwt.consumer.JwtConsumer.validate(JwtConsumer.java:466)
> 	at org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:311)
> 	at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:433)
> 	at org.apache.kafka.common.security.oauthbearer.secured.ValidatorAccessTokenValidator.validate(ValidatorAccessTokenValidator.java:157)
> 	... 12 more
> [2022-03-11 16:21:20,154] INFO [SocketServer listenerType=ZK_BROKER, nodeId=0] Failed authentication with /127.0.0.1 ({"status":"invalid_token"}) (org.apache.kafka.common.network.Selector)
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)