You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Rajini Sivaram (JIRA)" <ji...@apache.org> on 2018/10/08 09:55:00 UTC
[jira] [Resolved] (KAFKA-7462) Kafka brokers cannot provide OAuth
without a token
[ https://issues.apache.org/jira/browse/KAFKA-7462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rajini Sivaram resolved KAFKA-7462.
-----------------------------------
Resolution: Fixed
Fix Version/s: (was: 2.2.0)
2.1.0
> Kafka brokers cannot provide OAuth without a token
> --------------------------------------------------
>
> Key: KAFKA-7462
> URL: https://issues.apache.org/jira/browse/KAFKA-7462
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 2.0.0
> Reporter: Rajini Sivaram
> Assignee: Rajini Sivaram
> Priority: Major
> Fix For: 2.1.0
>
>
> Like with all other SASL mechanisms, OAUTHBEARER uses the same LoginModule class on both server-side and the client-side. But unlike PLAIN or SCRAM where client credentials are optional, OAUTHBEARER requires always requires a token. So while with PLAIN/SCRAM, broker only needs to specify client credentials if the mechanism is used for inter-broker communication, with OAuth, broker requires client credentials even if OAuth is not used for inter-broker communication. This is an issue with the default `OAuthBearerUnsecuredLoginCallbackHandler` used on both client-side and server-side. But more critically, it is an issue with `OAuthBearerLoginModule` which doesn't commit if token == null (commit() returns false).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)