You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Rajini Sivaram (JIRA)" <ji...@apache.org> on 2018/10/03 11:25:00 UTC
[jira] [Assigned] (KAFKA-7462) Kafka brokers cannot provide OAuth
without a token
[ https://issues.apache.org/jira/browse/KAFKA-7462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Rajini Sivaram reassigned KAFKA-7462:
-------------------------------------
Assignee: Rajini Sivaram
> Kafka brokers cannot provide OAuth without a token
> --------------------------------------------------
>
> Key: KAFKA-7462
> URL: https://issues.apache.org/jira/browse/KAFKA-7462
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 2.0.0
> Reporter: Rajini Sivaram
> Assignee: Rajini Sivaram
> Priority: Major
> Fix For: 2.2.0
>
>
> Like with all other SASL mechanisms, OAUTHBEARER uses the same LoginModule class on both server-side and the client-side. But unlike PLAIN or SCRAM where client credentials are optional, OAUTHBEARER requires always requires a token. So while with PLAIN/SCRAM, broker only needs to specify client credentials if the mechanism is used for inter-broker communication, with OAuth, broker requires client credentials even if OAuth is not used for inter-broker communication. This is an issue with the default `OAuthBearerUnsecuredLoginCallbackHandler` used on both client-side and server-side. But more critically, it is an issue with `OAuthBearerLoginModule` which doesn't commit if token == null (commit() returns false).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)