[
https://issues.apache.org/jira/browse/KAFKA-7182?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16548399#comment-16548399
]
ASF GitHub Bot commented on KAFKA-7182:
---------------------------------------
rondagostino opened a new pull request #5391: KAFKA-7182: SASL/OAUTHBEARER
client response missing %x01 seps
URL: https://github.com/apache/kafka/pull/5391
The format of the SASL/OAUTHBEARER client response is defined in
RFC 7628 Section 3.1 as follows:
kvsep = %x01
key = 1*(ALPHA)
value = *(VCHAR / SP / HTAB / CR / LF )
kvpair = key "=" value kvsep
client-resp = (gs2-header kvsep *kvpair kvsep) / kvsep
;;gs2-header = See RFC 5801 (Section 4)
The SASL/OAUTHBEARER client response as currently implemented in
OAuthBearerSaslClient sends the valid gs2-header "n,," but then
sends the "auth" key and value immediately after it, like this:
String.format("n,,auth=Bearer %s", callback.token().value())
This does not conform to the specification because there is no
%x01 after the gs2-header, no %x01 after the auth value, and no
terminating %x01. The code should instead be as follows:
String.format("n,,\u0001auth=Bearer %s\u0001\u0001",
callback.token().value())
Similarly, the parsing of the client response in
OAuthBearerSaslServer, which currently allows the malformed text,
must also change.
This should be fixed prior to the initial release of the
SASL/OAUTHBEARER code in 2.0.0 to prevent compatibility problems.
Signed-off-by: Ron Dagostino <rndg...@gmail.com>
*More detailed description of your change,
if necessary. The PR title and PR message become
the squashed commit message, so use a separate
comment to ping reviewers.*
*Summary of testing strategy (including rationale)
for the feature or bug fix. Unit and/or integration
tests are expected for any behaviour change and
system tests should be considered for larger changes.*
### Committer Checklist (excluded from commit message)
- [ ] Verify design and implementation
- [ ] Verify test coverage and CI build status
- [ ] Verify documentation (including upgrade notes)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> SASL/OAUTHBEARER client response is missing %x01 separators
> -----------------------------------------------------------
>
> Key: KAFKA-7182
> URL: https://issues.apache.org/jira/browse/KAFKA-7182
> Project: Kafka
> Issue Type: Bug
> Components: clients
> Affects Versions: 2.0.0
> Reporter: Ron Dagostino
> Assignee: Ron Dagostino
> Priority: Minor
> Labels: pull-request-available
>
> The format of the SASL/OAUTHBEARER client response is defined in [RFC 7628
> Section 3.1|https://tools.ietf.org/html/rfc7628#section-3.1] as follows:
> {noformat}
> kvsep = %x01
> key = 1*(ALPHA)
> value = *(VCHAR / SP / HTAB / CR / LF )
> kvpair = key "=" value kvsep
> client-resp = (gs2-header kvsep *kvpair kvsep) / kvsep
> {noformat}
> ;;gs2-header = See [RFC 5801 (Section
> 4)|https://tools.ietf.org/html/rfc5801#section-4]
> The SASL/OAUTHBEARER client response as currently implemented in
> OAuthBearerSaslClient sends the valid gs2-header "n,," but then sends the
> "auth" key and value immediately after it, like this:
> {code:java}
> String.format("n,,auth=Bearer %s", callback.token().value())
> {code}
> This does not conform to the specification because there is no %x01 after the
> gs2-header, no %x01 after the auth value, and no terminating %x01. The code
> should instead be as follows:
> {code:java}
> String.format("n,,\u0001auth=Bearer %s\u0001\u0001", callback.token().value())
> {code}
> Similarly, the parsing of the client response in OAuthBearerSaslServer, which
> currently allows the malformed text, must also change.
> *This should be fixed prior to the initial release of the SASL/OAUTHBEARER
> code in 2.0.0 to prevent compatibility problems.*
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
