Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for extensions_ in Oauth2 #227

Open
rao2100 opened this issue Feb 22, 2024 · 3 comments
Open

Support for extensions_ in Oauth2 #227

rao2100 opened this issue Feb 22, 2024 · 3 comments

Comments

@rao2100
Copy link

rao2100 commented Feb 22, 2024
edited
Loading

Are there any plans to add support for Oauth extension_ so that we can use it to connect to confluent cloud. Ideally we want to be able to configure the the following parameters:

bootstrap.servers=<bootstrap URL>
security.protocol=SASL_SSL
sasl.oauthbearer.token.endpoint.url=https://myidp.example.com/oauth2/default/v1/token
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
sasl.mechanism=OAUTHBEARER
sasl.jaas.config= \
  org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
    clientId='<client ID>' \
    scope='<Requested Scope>' \
    clientSecret='<Client Secret>' \
    extension_logicalCluster='<Cluster ID>' \
    extension_identityPoolId='<Pool ID>';

I see that it is already supported in kafka security but not in strimzi. Right now we are not able to configure it strimzi kafka connect as strimzi-kafka-oauth does does not support it.

Strimzi:
https://github.com/strimzi/strimzi-kafka-oauth/blob/main/oauth-client/src/main/java/io/strimzi/kafka/oauth/client/JaasClientOauthLoginCallbackHandler.java

Kafka:
https://github.com/a0x8o/kafka/blob/master/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandler.java#L177
@mstruk
Copy link
Contributor

mstruk commented Feb 29, 2024

We indeed don't support the SASL extensions in our OAuth plugin. I haven't encountered a use-case before where the broker made use of these, so there was no need to support them on the client. Assumption was always that the JaasClientOauthLoginCallbackHandler will always talk to the Kafka cluster that uses JaasServerOauthValidatorCallbackHandler provided by this project, and in such a setup there is no need for SASL extensions. In your case you are connecting to the Kafka cluster that uses a different OAUTHBEARER plugin (AuthenticateCallbackHandler implementation), which relies on SASL extensions.

One obvious solution would be to use the default Kafka OAuth implementation on the client. But I guess that is not possible when using Strimzi Operator with KafkaConnect custom resource. In order to connect to your cluster you need to pass these extra configuration parameters as some kind of client context information separate from the access token.

@mstruk
Copy link
Contributor

mstruk commented Mar 1, 2024

Support for SASL extensions has been added. See: #231

@rao2100
Copy link
Author

rao2100 commented Mar 5, 2024
edited
Loading

Very nice, thank you very much @mstruk

Any idea which strimzi operator release this will be included?

Currently we are configuring Strimzi Kafka Connect as below, will there be new config be introduced like in **?

authentication:
    type: oauth
    clientId: kafka-connect
    clientSecret:
      key: secret
      secretName: connect-oauth-secret  
    tokenEndpointUri: https://keycloak.keycloak:8443/auth/realms/master/protocol/openid-connect/token
 **extensions:
      key1: value
      key2: value**

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mstruk @rao2100