Hi Ashish,
Are you using OAuth for client->broker communication, inter-broker
communication, or both?
Based on the server.properties configuration that was shared, it looks like the
configuration is attempting to set up inter-broker communication using OAuth.
For a broker to *retrieve* tokens , it needs to have this configuration:
listener.name.SASL_PLAINTEXT.oauthbearer.sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler
For a broker to *validate* tokens, it needs to have this configuration:
listener.name.SASL_PLAINTEXT.oauthbearer.sasl.server.callback.handler.class=org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallbackHandler
Then the SASL configs would need to be included too:
listener.name.SASL_PLAINTEXT.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule
required \
clientId="XXXXXXXXXXXXXXXXXX"
clientSecret="XXXXXXXXXXXXXXXXXX"
audience="https://myprovider.com";
serviceName="kafka"
scope="kafka.read kafka.write";
If possible, please share any non-sensitive logs.
Thanks,
Kirk
On Wed, Mar 19, 2025, at 3:41 AM, ashish sood wrote:
> Hi All,
>
> I am setting up oauth for my Kafka broker. I have set up an account on Auth0
> for the same and set up an application and API.
>
> With the below config in the server.properties and Jaas.config file I keep
> getting invalid token. Although if I generate a manual token via curl it
> works fine. Also Auth0 logs show successful generation of the token, still
> the Kafka shows error. Any suggestions to resolve this issue would be
> appreciated.
>
> *Server.properties*
> listeners=SASL_PLAINTEXT://:9093
> advertised.listeners=SASL_PLAINTEXT://<XXXXXX>:9093
> sasl.enabled.mechanisms=OAUTHBEARER
> sasl.oauthbearer.jwks.endpoint.url=https://XXXXXXXXX/oauth/token
> <https://xxxxxxxxx/oauth/token>
> sasl.oauthbearer.expected.audience=https://myprovider.com
> oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule
> required;
> listener.name.sasl_plaintext.oauthbearer.sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
> confluent.oauth.groups.claim.name=groups
> inter.broker.listener.name=SASL_PLAINTEXT
> sasl.mechanism.inter.broker.protocol=OAUTHBEARER
> super.users=User:<ClientID>
> sasl.oauthbearer.token.endpoint.url=<XXXXXXXXX>/oauth/token
> sasl.oauthbearer.audience=https://myprovider.com
> allow.everyone.if.no.acl.found=true
> **
> *Jaas Config*
> KafkaServer {
> org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule
> required
> clientId="XXXXXXXXXXXXXXXXXX"
> clientSecret="XXXXXXXXXXXXXXXXXX"
> audience="https://myprovider.com";
> serviceName="kafka"
> scope="kafka.read kafka.write";
> };
>
> *Error*
> [2025-03-19 16:05:43,465] INFO [Controller id=0, targetBrokerId=0] Failed
> authentication with localhost/127.0.0.1 (channelId=0)
> ({"status":"invalid_token"}) (org.apache.kafka.common.network.Selector)
>
> image.png
>
> image.png
>
> Thanks & Regards
>
>
>
>
>
>
> ReplyForward
>
>
> Add reaction
