[jira] [Updated] (KAFKA-17089) Incorrect JWT parsing in OAuthBearerUnsecuredJws

Tue, 01 Apr 2025 17:50:45 -0700 


     [ 
https://issues.apache.org/jira/browse/KAFKA-17089?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kirk True updated KAFKA-17089:
------------------------------
    Component/s: security

> Incorrect JWT parsing in OAuthBearerUnsecuredJws
> ------------------------------------------------
>
>                 Key: KAFKA-17089
>                 URL: https://issues.apache.org/jira/browse/KAFKA-17089
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients, security
>    Affects Versions: 3.6.2
>            Reporter: Björn Löfroth
>            Priority: Major
>
> The documentation for the `OAuthBearerUnsecuredJws.toMap` function correctly 
> describes that the input is Base64URL, but then goes ahead and does a simple 
> base64 decode.
> [https://github.com/apache/kafka/blob/9a7eee60727dc73f09075e971ea35909d2245f19/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/unsecured/OAuthBearerUnsecuredJws.java#L295]
>  
> It should probably be 
> ```
> {color:#c678dd}byte{color}{color:#abb2bf}[{color}{color:#abb2bf}]{color} 
> decode {color:#61afef}={color} 
> {color:#d19a66}Base64{color}{color:#abb2bf}.{color}{color:#61afef}getUrlDecoder{color}{color:#abb2bf}({color}{color:#abb2bf}){color}{color:#abb2bf}.{color}{color:#61afef}decode{color}{color:#abb2bf}({color}split{color:#abb2bf}){color}{color:#abb2bf};{color}
> ```
> The error I get when using Confluent Schema Registry clients:
> ```
> org.apache.kafka.common.errors.SerializationException: Error serializing JSON 
> message
>         at 
> io.confluent.kafka.serializers.json.AbstractKafkaJsonSchemaSerializer.serializeImpl(AbstractKafkaJsonSchemaSerializer.java:171)
>         at 
> io.confluent.kafka.serializers.json.KafkaJsonSchemaSerializer.serialize(KafkaJsonSchemaSerializer.java:95)
>         at 
> org.apache.kafka.clients.producer.KafkaProducer.doSend(KafkaProducer.java:1000)
>         at 
> org.apache.kafka.clients.producer.KafkaProducer.send(KafkaProducer.java:947)
>         at 
> org.apache.kafka.clients.producer.KafkaProducer.send(KafkaProducer.java:832)
>         at 
> se.ica.icc.schemaregistry.example.confluent.ProducerJsonExample.main(ProducerJsonExample.java:87)
>         at 
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at 
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
>         at 
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.base/java.lang.reflect.Method.invoke(Method.java:568)
>         at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:282)
>         at java.base/java.lang.Thread.run(Thread.java:833)
> Caused by: 
> io.confluent.kafka.schemaregistry.client.security.bearerauth.oauth.exceptions.SchemaRegistryOauthTokenRetrieverException:
>  Error while fetching Oauth Token for Schema Registry: OAuth Token for Schema 
> Registry is Invalid
>         at 
> io.confluent.kafka.schemaregistry.client.security.bearerauth.oauth.CachedOauthTokenRetriever.getToken(CachedOauthTokenRetriever.java:74)
>         at 
> io.confluent.kafka.schemaregistry.client.security.bearerauth.oauth.OauthCredentialProvider.getBearerToken(OauthCredentialProvider.java:53)
>         at 
> io.confluent.kafka.schemaregistry.client.rest.RestService.setAuthRequestHeaders(RestService.java:1336)
>         at 
> io.confluent.kafka.schemaregistry.client.rest.RestService.buildConnection(RestService.java:361)
>         at 
> io.confluent.kafka.schemaregistry.client.rest.RestService.sendHttpRequest(RestService.java:300)
>         at 
> io.confluent.kafka.schemaregistry.client.rest.RestService.httpRequest(RestService.java:409)
>         at 
> io.confluent.kafka.schemaregistry.client.rest.RestService.getLatestVersion(RestService.java:981)
>         at 
> io.confluent.kafka.schemaregistry.client.rest.RestService.getLatestVersion(RestService.java:972)
>         at 
> io.confluent.kafka.schemaregistry.client.CachedSchemaRegistryClient.getLatestSchemaMetadata(CachedSchemaRegistryClient.java:574)
>         at 
> io.confluent.kafka.serializers.AbstractKafkaSchemaSerDe.lookupLatestVersion(AbstractKafkaSchemaSerDe.java:571)
>         at 
> io.confluent.kafka.serializers.AbstractKafkaSchemaSerDe.lookupLatestVersion(AbstractKafkaSchemaSerDe.java:554)
>         at 
> io.confluent.kafka.serializers.json.AbstractKafkaJsonSchemaSerializer.serializeImpl(AbstractKafkaJsonSchemaSerializer.java:151)
>         ... 11 more
> Caused by: 
> org.apache.kafka.common.security.oauthbearer.internals.secured.ValidateException:
>  Could not validate the access token: malformed Base64 URL encoded value
>         at 
> org.apache.kafka.common.security.oauthbearer.internals.secured.LoginAccessTokenValidator.validate(LoginAccessTokenValidator.java:93)
>         at 
> io.confluent.kafka.schemaregistry.client.security.bearerauth.oauth.CachedOauthTokenRetriever.getToken(CachedOauthTokenRetriever.java:72)
>         ... 22 more
> Caused by: 
> org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerIllegalTokenException:
>  malformed Base64 URL encoded value
>         at 
> org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredJws.toMap(OAuthBearerUnsecuredJws.java:310)
>         at 
> org.apache.kafka.common.security.oauthbearer.internals.secured.LoginAccessTokenValidator.validate(LoginAccessTokenValidator.java:91)
>         ... 23 more
> ```
> The JWT is otherwise valid when i view it in jwt.io. 
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to