0.15.0

Main Changes since 0.14.x

Added OAuth Client Assertion support

Allows clients to authenticate to authorization server by using client assertion as specified by rfc7523 and rfc7521.
The assertion can be provided by an external mechanism and available as a file on the file system or it can be explicitly set through OAuth configuration before running the Kafka client.

Introduced the following new configuration options:

• oauth.client.assertion
• oauth.client.assertion.location
• oauth.client.assertion.type

Added support for clients to read access token and refresh token from a file when authenticating

Introduced the following new configuration options:

• oauth.refresh.token.location
• oauth.access.token.location

Added support for bearer token authentication when connecting to protected authorization server endpoints

This is used by broker when connecting to JWKS and Introspection endpoints. Added to support talking to the Kubernetes API server's JWKS endpoint.

Introduced the following new configuration options:

• oauth.server.bearer.token
• oauth.server.bearer.token.location

The authentication configuration rules for configuring the introspection endpoint have been relaxed.
Introspection endpoint can now be unprotected (no authentication configured on the listener) or it can be protected with
oauth.client.id and oauth.client.secret to send Basic Authorization header or with the oauth.server.bearer.token or
oauth.server.bearer.token.location when sending Bearer Authorization header.

JWKS endpoint can now also be protected in the same way.

Fixed NullPointerException that occurred when OAuthKafkaPrincipalBuilder was used with Kerberos authentication

Fixed a user id extraction bug where oauth.fallback.username.prefix was ignored, and added oauth.username.prefix

A bug was introduced in 0.13.0 that resulted in oauth.fallback.username.prefix being ignored. That should now be fixed.

A new configuration option was added: oauth.username.prefix.

This allows for the consistent mapping of user ids into the same name space and may be needed to prevent name collisions.

Added support for SASL extension parameters

Added support for passing SASL extensions via OAuth configuration options, by using a prefix: oauth.sasl.extension.

If Kafka Broker uses some other custom OAUTHBEARER implementation, it may require SASL extensions options to be sent by the Kafka client.

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.15.0 milestone.

0.15.0-rc1

Main Changes since 0.14.x

Added OAuth Client Assertion support

Allows clients to authenticate to authorization server by using client assertion as specified by rfc7523 and rfc7521.
The assertion can be provided by an external mechanism and available as a file on the file system or it can be explicitly set through OAuth configuration before running the Kafka client.

Introduced the following new configuration options:

• oauth.client.assertion
• oauth.client.assertion.location
• oauth.client.assertion.type

Added support for clients to read access token and refresh token from a file when authenticating

Introduced the following new configuration options:

• oauth.refresh.token.location
• oauth.access.token.location

Added support for bearer token authentication when connecting to protected authorization server endpoints

This is used by broker when connecting to JWKS and Introspection endpoints. Added to support talking to the Kubernetes API server's JWKS endpoint.

Introduced the following new configuration options:

• oauth.server.bearer.token
• oauth.server.bearer.token.location

The authentication configuration rules for configuring the introspection endpoint have been relaxed.
Introspection endpoint can now be unprotected (no authentication configured on the listener) or it can be protected with
oauth.client.id and oauth.client.secret to send Basic Authorization header or with the oauth.server.bearer.token or
oauth.server.bearer.token.location when sending Bearer Authorization header.

JWKS endpoint can now also be protected in the same way.

Fixed NullPointerException that occurred when OAuthKafkaPrincipalBuilder was used with Kerberos authentication

Fixed a user id extraction bug where oauth.fallback.username.prefix was ignored, and added oauth.username.prefix

A bug was introduced in 0.13.0 that resulted in oauth.fallback.username.prefix being ignored. That should now be fixed.

A new configuration option was added: oauth.username.prefix.

This allows for the consistent mapping of user ids into the same name space and may be needed to prevent name collisions.

Added support for SASL extension parameters

Added support for passing SASL extensions via OAuth configuration options, by using a prefix: oauth.sasl.extension.

If Kafka Broker uses some other custom OAUTHBEARER implementation, it may require SASL extensions options to be sent by the Kafka client.

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.15.0 milestone.

Staging repository

To test the release, use the staging repository by including following in your pom.xml:

  <repositories>
    <repository>
      <id>staging</id>
      <url>https://oss.sonatype.org/content/repositories/iostrimzi-1208</url>
    </repository>
  </repositories>

0.14.0

Main Changes since 0.13.x

Fixed logging of principal extraction configuration at startup

Fixed a bug where the configured usernameClaim, fallbackUsernameClaim and fallbackUsernamePrefix values were not displayed at initialisation time.

Added support for disabling the Accept header when communicating with the authorization server

Some authorization servers have issues with Accept header in some circumstances. Configuration options oauth.include.accept.header and strimzi.authorization.include.accept.header have been introduced to allow turning off the sending of Accept header.

Bumped Kafka version to 3.6.0

When using the Strimzi Kafka OAuth libraries on the client, Kafka version 3.6.0 will be included by default as a transitive dependency.

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.14.0 milestone.

0.14.0-rc1

Main Changes since 0.13.x

Fixed logging of principal extraction configuration at startup

Fixed a bug where the configured usernameClaim, fallbackUsernameClaim and fallbackUsernamePrefix values were not displayed at initialisation time.

Added support for disabling the Accept header when communicating with authorization server

Some authorization servers have issues with Accept header in some circumstances. Configuration options oauth.include.accept.header and strimzi.authorization.include.accept.header have been introduced to allow turning off the sending of Accept header.

Bumped Kafka version to 3.6.0

When using the Strimzi Kafka OAuth libraries on the client, Kafka version 3.6.0 will be included by default as a transitive dependency.

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.14.0 milestone.

Staging repository

To test the release, use the staging repository by including following in your pom.xml:

  <repositories>
    <repository>
      <id>staging</id>
      <url>https://oss.sonatype.org/content/repositories/iostrimzi-1196</url>
    </repository>
  </repositories>

0.13.0

Main Changes since 0.12.x

KeycloakAuthorizer has been added that supports both Zookeeper and KRaft mode

While KeycloakRBACAuthorizer can still be used in Zookeeper mode, for the future you should migrate your configuration to use KeycloakAuthorizer.

As part of supporting KRaft mode the grants mapping logic has changed slightly. Rather than using the access token as a unit of grant, the user id is now used. This results in better sharing of the grants between sessions of the same user, and should also reduce the number of grants held in cache, and the number of refresh requests to the Keycloak server.

Additional configuration options have been added:

• strimzi.authorization.grants.max.idle.time.seconds specifies the time after which an idle grant in the cache can be evicted
• strimzi.authorization.grants.gc.period.seconds specifies a time between consecutive runs of the grants cache garbage collection job

Also, the option strimzi.authorization.reuse.grants now defaults to true, and no longer to false.

Global option strimzi.oauth.metric.reporters has been added to supersede metric.reporters in OAuth metrics

To avoid double instantiation of metric reporters that only expect to work as singletons, metric.reporters option is no longer used by OAuth metrics.
If the new strimzi.oauth.metric.reporters is not set, OAuth metrics will still instantiate a default org.apache.kafka.common.metrics.JmxReporter if any OAuth metrics are enabled.
In order to install some other metric reporter in addition to JmxReporter both have to be listed.
Also, the suggested way to configure it on the Kafka broker is to set it as env variable, rather than a property in server.properties file.

Fixed JsonPath handling of null in a query when attribute was missing

This change introduces a backwards incompatible change in how queries using equals or not equals comparison to null are handled when the targeted attribute is not present.

Examples of affected queries as used in oauth.custom.claim.check:

• "@.missing == null"
• "@.missing != null"

Principal extraction from nested username claim was added

It is now possible to use JsonPath query to target nested attributes when extracting a principal. In order to use JsonPath start your claim specification with opening square bracket [.

For example:

oauth.username.claim="['user.info'].['user.id']"
oauth.fallback.username.claim="['user.info'].['client.id']"

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.13.0 milestone.

0.13.0-rc1

Main Changes since 0.12.x

KeycloakAuthorizer has been added that supports both Zookeeper and KRaft mode

While KeycloakRBACAuthorizer can still be used in Zookeeper mode, for the future you should migrate your configuration to use KeycloakAuthorizer.

As part of supporting KRaft mode the grants mapping logic has changed slightly. Rather than using the access token as a unit of grant, the user id is now used. This results in better sharing of the grants between sessions of the same user, and should also reduce the number of grants held in cache, and the number of refresh requests to the Keycloak server.

Additional configuration options have been added:

• strimzi.authorization.grants.max.idle.time.seconds specifies the time after which an idle grant in the cache can be evicted
• strimzi.authorization.grants.gc.period.seconds specifies an interval in which cleaning of stale grants from grants cache is performed

Also, the option strimzi.authorization.reuse.grants now defaults to true, and no longer to false.

Global option strimzi.oauth.metric.reporters has been added to supersede metric.reporters in OAuth metrics

To avoid double instantiation of metric reporters that only expect to work as singletons, metric.reporters option is no longer used by OAuth metrics.
If the new strimzi.oauth.metric.reporters is not set, OAuth metrics will still instantiate a default org.apache.kafka.common.metrics.JmxReporter if any OAuth metrics are enabled.
In order to install some other metric reporter in addition to JmxReporter both have to be listed.
Also, the suggested way to configure it on the Kafka broker is to set it as env variable, rather than a property in server.properties file.

Fixed JsonPath handling of null in a query when attribute was missing

This change introduces a backwards incompatible change in how queries using equals or not equals comparison to null are handled when the targeted attribute is not present.

Examples of affected queries as used in oauth.custom.claim.check:

• "@.missing == null"
• "@.missing != null"

Principal extraction from nested username claim was added

It is now possible to use JsonPath query to target nested attributes when extracting a principal. In order to use JsonPath start your claim specification with opening square bracket [.

For example:

oauth.username.claim="['user.info'].['user.id']"
oauth.fallback.username.claim="['user.info'].['client.id']"

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.13.0 milestone.

Staging repository

To test the release, use the staging repository by including following in your pom.xml:

  <repositories>
    <repository>
      <id>staging</id>
      <url>https://oss.sonatype.org/content/repositories/iostrimzi-1186</url>
    </repository>
  </repositories>

0.12.0

Main Changes since 0.11.x

Java 17 support

Project can now be compiled and tests performed by Java 8, Java 11, and Java 17.

Fixed handling of strimzi.authorization.enable.metrics

The option was ignored due to a bug.

Multiple improvements in KeycloakRBACAuthorizer

Some optimizations have been done to reduce the number of grants requests to the Keycloak.

A retry mechanism for unexpected failures was added. A configuration option strimzi.authorization.http.retries was introduced, that if set to a value greater than zero, results in the initial grants request for the session be immediately repeated upon failure for up to the specified number of times.

Added support for automatic retries during authentication and token validation

Introduced new configuration options oauth.http.retries and oauth.http.retry.pause.millis that can be used to enable
automatically retrying failed requests to the authorization server during authentication (to the token endpoint), and
during token validation (to the introspection and userinfo endpoints).

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.12.0 milestone.

0.12.0-rc1

Main Changes since 0.11.x

Java 17 support

Project can now be compiled and tests performed by Java 8, Java 11, and Java 17.

Fixed handling of strimzi.authorization.enable.metrics

The option was ignored due to a bug.

Multiple improvements in KeycloakRBACAuthorizer

Some optimizations have been done to reduce the number of grants requests to the Keycloak.

A retry mechanism for unexpected failures was added. A configuration option strimzi.authorization.http.retries was introduced, that if set to a value greater than zero, results in the initial grants request for the session be immediately repeated upon failure for up to the specified number of times.

Added support for automatic retries during authentication and token validation

Introduced new configuration options oauth.http.retries and oauth.http.retry.pause.millis that can be used to enable
automatically retrying failed requests to the authorization server during authentication (to the token endpoint), and
during token validation (to the introspection and userinfo endpoints).

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.12.0 milestone.

Staging repository

To test the release, use the staging repository by including following in your pom.xml:

  <repositories>
    <repository>
      <id>staging</id>
      <url>https://oss.sonatype.org/content/repositories/iostrimzi-1174</url>
    </repository>
  </repositories>

0.11.0

Main Changes since 0.10.x

Added OAuth metrics support

Added support for OAuth related metrics. It is disabled by default. To enable it set oauth.enable.metrics OAuth configuration option to true. Use metrics.reporters, and other Kafka configuration metrics.* options to configure the behaviour of metrics capture and how they are exported.

Added password grant support

The Resource Owner Password Credentials support was added for interoperability in existing corporate environments where established security policies prevent using client credentials to authenticate the client applications. The reason can also be purely technical in that the existing Identity and Access Management solution (IAM) only supports user accounts, even where the 'user' is actually an application service.

Added oauth.jwks.ignore.key.use config option

Set this option to true in order to use all the keys in the JWKS response for token signature validation, regardless of their use attribute.
This makes it possible to use authorization servers that don't specify use attribute in JWKS keys.

Added support for unprotected truststores

Truststores with empty password are now supported

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.11.0 milestone.

0.11.0-rc5

Main Changes since 0.10.x

Added OAuth metrics support

Added support for OAuth related metrics. It is disabled by default. To enable it set oauth.enable.metrics OAuth configuration option to true. Use metrics.reporters, and other Kafka configuration metrics.* options to configure the behaviour of metrics capture and how they are exported.

Added password grant support

The Resource Owner Password Credentials support was added for interoperability in existing corporate environments where established security policies prevent using client credentials to authenticate the client applications. The reason can also be purely technical in that the existing Identity and Access Management solution (IAM) only supports user accounts, even where the 'user' is actually an application service.

Added oauth.jwks.ignore.key.use config option

Set this option to true in order to use all the keys in the JWKS response for token signature validation, regardless of their use attribute.
This makes it possible to use authorization servers that don't specify use attribute in JWKS keys.

Added support for unprotected truststores

Truststores with empty password are now supported

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.11.0 milestone.

Staging repository

To test the release, use the staging repository by including following in your pom.xml:

  <repositories>
    <repository>
      <id>staging</id>
      <url>https://oss.sonatype.org/content/repositories/iostrimzi-1196</url>
    </repository>
  </repositories>