Package org.apache.kafka.common.security.oauthbearer.secured
package org.apache.kafka.common.security.oauthbearer.secured
-
ClassDescriptionAn
AccessTokenRetrieveris the internal API by which the login module will retrieve an access token for use in authorization by the broker.An instance ofAccessTokenValidatoracts as a function object that, given an access token in base-64 encoded JWT format, can parse the data, perform validation, and construct anOAuthBearerTokenfor use by the caller.An implementation of theOAuthBearerTokenthat fairly straightforwardly stores the values given to its constructor (except the scope set which is copied to avoid modifications).Simple utility class to perform basic cleaning and validation on input values so that they're performed consistently throughout the code base.TheOAuthBearerValidatorCallbackHandleruses aVerificationKeyResolveras part of its validation of the incoming JWT.ConfigurationUtilsis a utility class to perform basic configuration-related logic and is separated out here for easier, more direct testing.FileTokenRetrieveris anAccessTokenRetrieverthat will load the contents, interpreting them as a JWT access key in the serialized form.HttpAccessTokenRetrieveris anAccessTokenRetrieverthat will communicate with an OAuth/OIDC provider directly via HTTP to post client credentials (OAuthBearerLoginCallbackHandler.CLIENT_ID_CONFIG/OAuthBearerLoginCallbackHandler.CLIENT_SECRET_CONFIG) to a publicized token endpoint URL (SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL).JaasOptionsUtilsis a utility class to perform logic for the JAAS options and is separated out here for easier, more direct testing.JwksFileVerificationKeyResolveris aVerificationKeyResolverimplementation that will load the JWKS from the given file system directory.LoginAccessTokenValidator is an implementation ofAccessTokenValidatorthat is used by the client to perform some rudimentary validation of the JWT access token that is received as part of the response from posting the client credentials to the OAuth/OIDC provider's token endpoint.OAuthBearerLoginCallbackHandleris anAuthenticateCallbackHandlerthat acceptsOAuthBearerTokenCallbackandSaslExtensionsCallbackcallbacks to perform the steps to request a JWT from an OAuth/OIDC provider using theclientcredentials.OAuthBearerValidatorCallbackHandleris anAuthenticateCallbackHandlerthat acceptsOAuthBearerValidatorCallbackandOAuthBearerExtensionsValidatorCallbackcallbacks to implement OAuth/OIDC validation.Implementation ofHttpsJwksthat will periodically refresh the JWKS cache to reduce or even prevent HTTP/HTTPS traffic in the hot path of validation.RefreshingHttpsJwksVerificationKeyResolveris aVerificationKeyResolverimplementation that will periodically refresh the JWKS using itsHttpsJwksinstance.Retry<R>Retry encapsulates the mechanism to perform a retry and then exponential backoff using provided wait times between attempts.Retryable<R>Simple interface to abstract out the call that is made so that it can be retried.SerializedJwt provides a modicum of structure and validation around a JWT's serialized form by splitting and making the three sections (header, payload, and signature) available to the user.ValidateException is thrown in cases where a JWT access token cannot be determined to be valid for one reason or another.ValidatorAccessTokenValidator is an implementation ofAccessTokenValidatorthat is used by the broker to perform more extensive validation of the JWT access token that is received from the client, but ultimately from posting the client credentials to the OAuth/OIDC provider's token endpoint.