Package org.apache.kafka.common.security.oauthbearer

Interface OAuthBearerToken

All Known Implementing Classes:

BasicOAuthBearerToken

@Evolving
public interface OAuthBearerToken

The b64token value as defined in RFC 6750 Section 2.1 along with the token's specific scope and lifetime and principal name.

A network request would be required to re-hydrate an opaque token, and that could result in (for example) an IOException, but retrievers for various attributes (scope(), lifetimeMs(), etc.) declare no exceptions. Therefore, if a network request is required for any of these retriever methods, that request could be performed at construction time so that the various attributes can be reliably provided thereafter. For example, a constructor might declare throws IOException in such a case. Alternatively, the retrievers could throw unchecked exceptions.

This interface was introduced in 2.0.0 and, while it feels stable, it could evolve. We will try to evolve the API in a compatible manner (easier now that Java 7 and its lack of default methods doesn't have to be supported), but we reserve the right to make breaking changes in minor releases, if necessary. We will update the InterfaceStability annotation and this notice once the API is considered stable.

See Also:

• RFC 6749 Section 1.4 and RFC 6750 Section 2.1

Method Summary

Modifier and Type	Method	Description
long	lifetimeMs()	The token's lifetime, expressed as the number of milliseconds since the epoch, as per RFC 6749 Section 1.4
String	principalName()	The name of the principal to which this credential applies
Set<String>	scope()	The token's scope of access, as per RFC 6749 Section 1.4
Long	startTimeMs()	When the credential became valid, in terms of the number of milliseconds since the epoch, if known, otherwise null.
String	value()	The b64token value as defined in RFC 6750 Section 2.1

Method Details

value

String value()

The b64token value as defined in RFC 6750 Section 2.1

Returns:

b64token value as defined in RFC 6750 Section 2.1

scope

Set<String> scope()

The token's scope of access, as per RFC 6749 Section 1.4

Returns:

the token's (always non-null but potentially empty) scope of access, as per RFC 6749 Section 1.4. Note that all values in the returned set will be trimmed of preceding and trailing whitespace, and the result will never contain the empty string.

lifetimeMs

long lifetimeMs()

The token's lifetime, expressed as the number of milliseconds since the epoch, as per RFC 6749 Section 1.4

Returns:

the token'slifetime, expressed as the number of milliseconds since the epoch, as per RFC 6749 Section 1.4.

principalName

String principalName()

The name of the principal to which this credential applies

Returns:

the always non-null/non-empty principal name

startTimeMs

Long startTimeMs()

When the credential became valid, in terms of the number of milliseconds since the epoch, if known, otherwise null. An expiring credential may not necessarily indicate when it was created -- just when it expires -- so we need to support a null return value here.

Returns:

the time when the credential became valid, in terms of the number of milliseconds since the epoch, if known, otherwise null