Class JaasServerOauthOverPlainValidatorCallbackHandler
- All Implemented Interfaces:
CallbackHandler,org.apache.kafka.common.security.auth.AuthenticateCallbackHandler
Also, the client can use the access token to authenticate. In this case the client should set the username parameter to the same principal the broker will resolve from the access token (depending on the Kafka Broker configuration this is the value of 'sub' claim or one specified by 'oauth.username.claim' configuration). The password parameter depends on whether the 'oauth.token.endpoint.uri' is configured on the server or not. If configured, the password parameter value should be set to the constant $accessToken: followed by the actual access token string. The $accessToken: prefix lets the broker know that the password should be treated as an access token. If not configured, the client ID + secret (client credentials) mechanism is not available and the 'password' parameter is interpreted as a raw access token without a prefix.
Allowing the use of OAuth credentials over SASL/PLAIN allows all existing Kafka client tools to authenticate to your Kafka cluster even when they have no explicit OAuth support.
To install this CallbackHandler in your Kafka listener, specify the following in your 'server.properties':
# Declare a listener
listeners=CLIENT://kafka:9092
# Specify whether the TCP connection is unsecured or protected with TLS
#listener.security.protocol.map=CLIENT:SASL_PLAINTEXT
listener.security.protocol.map=CLIENT:SASL_SSL
# Configure the keystore and truststore for SASL_SSL
listener.name.client.ssl.keystore.location=/tmp/kafka/cluster.keystore.p12
listener.name.client.ssl.keystore.password=keypass
listener.name.client.ssl.keystore.type=PKCS12
listener.name.client.ssl.truststore.location=/tmp/kafka/cluster.truststore.p12
listener.name.client.ssl.truststore.password=trustpass
listener.name.client.ssl.truststore.type=PKCS12
# Enable SASL/PLAIN authentication mechanism on your listener in addition to any others
#sasl.enabled.mechanisms: PLAIN,OAUTHBEARER
sasl.enabled.mechanisms: PLAIN
# Install the SASL/PLAIN LoginModule using per-listener sasl.jaas.config
listener.name.client.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \
oauth.token.endpoint.uri="https://sso-server/token" \
oauth.valid.issuer.uri="https://java-server" \
oauth.jwks.endpoint.uri="https://java-server/certs" \
oauth.username.claim="preferred_username";
# Install this CallbackHandler to provide custom handling of authentication
listener.name.client.plain.sasl.server.callback.handler.class=io.strimzi.kafka.oauth.server.plain.JaasServerOauthOverPlainValidatorCallbackHandler
There is additional sasl.jaas.config configuration that may need to be specified in order for this CallbackHandler to work with your authorization server.
Note: The following configuration keys can be specified as parameters to sasl.jaas.config in Kafka `server.properties` file, or as ENV vars in which case an all-uppercase key name is also attempted with '.' replaced by '_' (e.g. OAUTH_TOKEN_ENDPOINT_URI). They can also be specified as system properties. The priority is in reverse - system property overrides the ENV var, which overrides `server.properties`. When not specified as the parameters to sasl.jaas.config, the configuration keys will apply to all listeners.
Optional sasl.jaas.config configuration:
- oauth.token.endpoint.uri A URL of the authorization server's token endpoint.
The token endpoint is used to authenticate to authorization server with the clientId and the secret received over username and password parameters. If set, both clientId + secret, and userId + access token are available. Otherwise only userId + access token authentication is available. - oauth.client.credentials.grant.type A custom value of `grant_type` parameter passed to token endpoint when authenticating with clientId and the secret to obtain the token.
- oauth.scope A `scope` parameter passed to token endpoint when authenticating with clientId and the secret to obtain the token.
- oauth.audience An `audience` parameter passed to token endpoint when authenticating with clientId and the secret to obtain the token.
The rest of the configuration is the same as for JaasServerOauthValidatorCallbackHandler.
-
Constructor Summary
Constructors -
Method Summary
Methods inherited from class io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler
delegatedConfigure, delegatedHandle, getConnectTimeout, getPrincipalExtractor, getReadTimeout, getSocketFactory, getVerifier, isJwt
-
Constructor Details
-
JaasServerOauthOverPlainValidatorCallbackHandler
public JaasServerOauthOverPlainValidatorCallbackHandler()
-
-
Method Details
-
configure
public void configure(Map<String, ?> configs, String saslMechanism, List<AppConfigurationEntry> jaasConfigEntries) - Specified by:
configurein interfaceorg.apache.kafka.common.security.auth.AuthenticateCallbackHandler- Overrides:
configurein classJaasServerOauthValidatorCallbackHandler
-
close
public void close()- Specified by:
closein interfaceorg.apache.kafka.common.security.auth.AuthenticateCallbackHandler- Overrides:
closein classJaasServerOauthValidatorCallbackHandler
-
handle
The callback method. Note that we can't control the error message that is sent to the client when PLAIN is used. The error message is hardcoded in org.apache.kafka.common.security.plain.internals.PlainSaslServer class. What that means is that even though we generate an ErrId and log it on the server, that ErrId can not be propagated to the client.- Specified by:
handlein interfaceCallbackHandler- Overrides:
handlein classJaasServerOauthValidatorCallbackHandler
-