Package org.apache.kafka.common.security.oauthbearer

Class BrokerJwtValidator

java.lang.Object

org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator

All Implemented Interfaces:

Closeable, AutoCloseable, org.apache.kafka.common.security.oauthbearer.internals.secured.OAuthBearerConfigurable, JwtValidator

public class BrokerJwtValidator
extends Object
implements JwtValidator

BrokerJwtValidator is an implementation of JwtValidator that is used by the broker to perform more extensive validation of the JWT access token that is received from the client, but ultimately from posting the client credentials to the OAuth/OIDC provider's token endpoint. The validation steps performed (primarily by the jose4j library) are:

1. Basic structural validation of the b64token value as defined in RFC 6750 Section 2.1
2. Basic conversion of the token into an in-memory data structure
3. Presence of scope, exp, subject, iss, and iat claims
4. Signature matching validation against the kid and those provided by the OAuth/OIDC provider's JWKS

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static interface	BrokerJwtValidator.ClaimSupplier<T>

Constructor Summary

Constructors

Constructor	Description
BrokerJwtValidator()	A public, no-args constructor is necessary for instantiation via configuration.

Method Summary

Modifier and Type	Method	Description
void	configure(Map<String,?> configs, String saslMechanism, List<AppConfigurationEntry> jaasConfigEntries)
OAuthBearerToken	validate(String accessToken)	Accepts an OAuth JWT access token in base-64 encoded format, validates, and returns an OAuthBearerToken.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.kafka.common.security.oauthbearer.internals.secured.OAuthBearerConfigurable

close

Constructor Details

BrokerJwtValidator

public BrokerJwtValidator()

A public, no-args constructor is necessary for instantiation via configuration.

Method Details

configure

public void configure(Map<String,?> configs,
 String saslMechanism,
 List<AppConfigurationEntry> jaasConfigEntries)

Specified by:

configure in interface org.apache.kafka.common.security.oauthbearer.internals.secured.OAuthBearerConfigurable

validate

public OAuthBearerToken validate(String accessToken)
                          throws JwtValidatorException

Accepts an OAuth JWT access token in base-64 encoded format, validates, and returns an OAuthBearerToken.

Specified by:

validate in interface JwtValidator

Parameters:

accessToken - Non-null JWT access token

Returns:

OAuthBearerToken

Throws:

JwtValidatorException - Thrown on errors performing validation of given token