org.apache.kafka.common.security.oauthbearer

Class OAuthBearerValidatorCallbackHandler

java.lang.Object

org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallbackHandler

All Implemented Interfaces:

CallbackHandler, AuthenticateCallbackHandler

Direct Known Subclasses:

OAuthBearerValidatorCallbackHandler

public class OAuthBearerValidatorCallbackHandler
extends Object
implements AuthenticateCallbackHandler

OAuthBearerValidatorCallbackHandler is an AuthenticateCallbackHandler that accepts OAuthBearerValidatorCallback and OAuthBearerExtensionsValidatorCallback callbacks to implement OAuth/OIDC validation. This callback handler is intended only to be used on the Kafka broker side as it will receive a OAuthBearerValidatorCallback that includes the JWT provided by the Kafka client. That JWT is validated in terms of format, expiration, signature, and audience and issuer (if desired). This callback handler is the broker side of the OAuth functionality, whereas OAuthBearerLoginCallbackHandler is used by clients.

This AuthenticateCallbackHandler is enabled in the broker configuration by setting the BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS like so: listener.name..oauthbearer.sasl.server.callback.handler.class=org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallbackHandler

The JAAS configuration for OAuth is also needed. If using OAuth for inter-broker communication, the options are those specified in OAuthBearerLoginCallbackHandler.

The configuration option SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_URL is also required in order to contact the OAuth/OIDC provider to retrieve the JWKS for use in JWT signature validation. For example: listener.name..oauthbearer.sasl.oauthbearer.jwks.endpoint.url=https://example.com/oauth2/v1/keys Please see the OAuth/OIDC providers documentation for the JWKS endpoint URL.

The following is a list of all the configuration options that are available for the broker validation callback handler:

• BrokerSecurityConfigs.SASL_SERVER_CALLBACK_HANDLER_CLASS
• SaslConfigs.SASL_JAAS_CONFIG
• SaslConfigs.SASL_OAUTHBEARER_CLOCK_SKEW_SECONDS
• SaslConfigs.SASL_OAUTHBEARER_EXPECTED_AUDIENCE
• SaslConfigs.SASL_OAUTHBEARER_EXPECTED_ISSUER
• SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_REFRESH_MS
• SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_RETRY_BACKOFF_MAX_MS
• SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_RETRY_BACKOFF_MS
• SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_URL
• SaslConfigs.SASL_OAUTHBEARER_SCOPE_CLAIM_NAME
• SaslConfigs.SASL_OAUTHBEARER_SUB_CLAIM_NAME

Constructor Summary

Constructors

Constructor and Description
OAuthBearerValidatorCallbackHandler()

Method Summary

Modifier and Type	Method and Description
void	close() Closes this instance.
void	configure(Map<String,?> configs, String saslMechanism, List<AppConfigurationEntry> jaasConfigEntries) Configures this callback handler for the specified SASL mechanism.
void	handle(Callback[] callbacks)
void	init(org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver verificationKeyResolver, org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator accessTokenValidator)

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

OAuthBearerValidatorCallbackHandler

public OAuthBearerValidatorCallbackHandler()

Method Detail

configure

public void configure(Map<String,?> configs,
                      String saslMechanism,
                      List<AppConfigurationEntry> jaasConfigEntries)

Description copied from interface: AuthenticateCallbackHandler

Configures this callback handler for the specified SASL mechanism.

Specified by:

configure in interface AuthenticateCallbackHandler

Parameters:

configs - Key-value pairs containing the parsed configuration options of the client or broker. Note that these are the Kafka configuration options and not the JAAS configuration options. JAAS config options may be obtained from `jaasConfigEntries` for callbacks which obtain some configs from the JAAS configuration. For configs that may be specified as both Kafka config as well as JAAS config (e.g. sasl.kerberos.service.name), the configuration is treated as invalid if conflicting values are provided.

saslMechanism - Negotiated SASL mechanism. For clients, this is the SASL mechanism configured for the client. For brokers, this is the mechanism negotiated with the client and is one of the mechanisms enabled on the broker.

jaasConfigEntries - JAAS configuration entries from the JAAS login context. This list contains a single entry for clients and may contain more than one entry for brokers if multiple mechanisms are enabled on a listener using static JAAS configuration where there is no mapping between mechanisms and login module entries. In this case, callback handlers can use the login module in `jaasConfigEntries` to identify the entry corresponding to `saslMechanism`. Alternatively, dynamic JAAS configuration option SaslConfigs.SASL_JAAS_CONFIG may be configured on brokers with listener and mechanism prefix, in which case only the configuration entry corresponding to `saslMechanism` will be provided in `jaasConfigEntries`.

init

public void init(org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver verificationKeyResolver,
                 org.apache.kafka.common.security.oauthbearer.internals.secured.AccessTokenValidator accessTokenValidator)

close

public void close()

Description copied from interface: AuthenticateCallbackHandler

Closes this instance.

Specified by:

close in interface AuthenticateCallbackHandler

handle

public void handle(Callback[] callbacks)
            throws IOException,
                   UnsupportedCallbackException

Specified by:

handle in interface CallbackHandler

Throws:

IOException

UnsupportedCallbackException