Re: [PR] KAFKA-18573: Add support for OAuth jwt-bearer grant type [kafka]

via GitHub Thu, 29 May 2025 16:25:43 -0700


kirktrue commented on code in PR #19754:
URL: https://github.com/apache/kafka/pull/19754#discussion_r2114887321



##########
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/DefaultJwtRetriever.java:
##########
@@ -0,0 +1,109 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.kafka.common.security.oauthbearer;
+
+import org.apache.kafka.common.config.ConfigException;
+import 
org.apache.kafka.common.security.oauthbearer.internals.secured.ClientCredentialsRequestFormatter;
+import 
org.apache.kafka.common.security.oauthbearer.internals.secured.ConfigurationUtils;
+import 
org.apache.kafka.common.security.oauthbearer.internals.secured.JwtBearerRequestFormatter;
+import org.apache.kafka.common.utils.Utils;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.IOException;
+import java.net.URL;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+
+import javax.security.auth.login.AppConfigurationEntry;
+
+import static 
org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_GRANT_TYPE;
+import static 
org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL;
+
+/**
+ * {@code DefaultJwtRetriever} instantiates and delegates {@link JwtRetriever} 
API calls to an embedded implementation
+ * based on configuration:
+ *
+ * <ul>
+ *     <li>
+ *         If the value of <code>sasl.oauthbearer.token.endpoint.url</code> is 
set to a value that starts with the
+ *         <code>file</code> protocol (e.g. 
<code>file:/tmp/path/to/a/static-jwt.json</code>), an instance of
+ *         {@link FileJwtRetriever} will be used as the underlying {@link 
JwtRetriever}. Otherwise, the URL is
+ *         assumed to be an HTTP/HTTPS-based URL, and the value of
+ *         <code>sasl.oauthbearer.grant.type</code> will be used to determine 
the class to use.
+ *     </li>
+ *     <li>
+ *         If the grant type configuration 
<code>sasl.oauthbearer.grant.type</code> is not present <em>or</em> it
+ *         is set to <code>client_credentials</code>, an instance of {@link 
ClientCredentialsRequestFormatter} will
+ *         be created and used. If the grant type configuration value is set to
+ *         <code>urn:ietf:params:oauth:grant-type:jwt-bearer</code>, then an 
instance of {@link JwtBearerJwtRetriever}
+ *         will be used.
+ *     </li>
+ * </ul>
+ *
+ * The configuration required by the individual {@code JwtRetriever} classes 
will likely differ. Please refer to the
+ * official Apache Kafka documentation for more information on these, and 
related, configuration.
+ */
+public class DefaultJwtRetriever implements JwtRetriever {
+
+    private static final Logger LOG = 
LoggerFactory.getLogger(DefaultJwtRetriever.class);
+
+    private JwtRetriever delegate;
+
+    @Override
+    public void configure(Map<String, ?> configs, String saslMechanism, 
List<AppConfigurationEntry> jaasConfigEntries) {
+        ConfigurationUtils cu = new ConfigurationUtils(configs, saslMechanism);
+        URL tokenEndpointUrl = 
cu.validateUrl(SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL);
+
+        if 
(tokenEndpointUrl.getProtocol().toLowerCase(Locale.ROOT).equals("file")) {
+            delegate = new FileJwtRetriever();
+        } else {
+            String grantType = cu.validateString(SASL_OAUTHBEARER_GRANT_TYPE, 
false);
+
+            if (grantType == null || 
grantType.equalsIgnoreCase(ClientCredentialsRequestFormatter.GRANT_TYPE)) {
+                delegate = new ClientCredentialsJwtRetriever();
+            } else if 
(grantType.equalsIgnoreCase(JwtBearerRequestFormatter.GRANT_TYPE)) {
+                delegate = new JwtBearerJwtRetriever();
+            } else {
+                throw new ConfigException("The grant type \"" + grantType + 
"\" is not supported by the class " + getClass().getName());

Review Comment:
   I ended up removing the grant type configuration since it wasn't really 
needed in the end. Each `JwtRetriever` implementation dictates which grant type 
it uses, so specifying it separately is unnecessary.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] KAFKA-18573: Add support for OAuth jwt-bearer grant type [kafka]

Reply via email to