Versions Compared

Old Version 17

changes.mady.by.user Kirk True

Saved on

compared with

New Version 18

changes.mady.by.user Kirk True

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Standardized the configuration names

...

The top-level configuration options for the client login callback handler are:

  • sasl.loginoauthbearer.token.endpoint.uri: OAuth issuer token endpoint URI
  • sasl.loginoauthbearer.scope.claim.name: optional override name of the scope claim; defaults to scope
  • sasl.loginoauthbearer.sub.claim.name: optional override name of the sub claim; defaults to sub
  • sasl.login.connect.timeout.ms: optional value in milliseconds for HTTPS connect timeout; defaults to 10000
  • sasl.login.read.timeout.ms: optional value in milliseconds for HTTPS read timeout; defaults to 10000
  • sasl.login.attempts: optional number of attempts to make to connect to the OAuth/OIDC identity provider; defaults to 3
  • sasl.login.retry.wait.ms: optional value in milliseconds for the amount of time to wait between HTTPS call attempts; defaults to 250
  • sasl.login.retry.max.wait.ms: optional value in milliseconds for the maximum wait between HTTPS call attempts (as described above); defaults to 10000

...

sasl.login.callback.handler.class=...OAuthBearerLoginCallbackHandler
sasl.login.connect.timeout.ms=15000
sasl.oauthbearer.token.endpoint.uri=https://myidp.example.com/oauth2/default/v1/token
sasl.jaas.config=...OAuthBearerLoginModule required \
clientId="abc123" \
clientSecret="S3cr3t!" \
scope="sales-pipeline" \
extension_supportFeatureX="true" \
extension_organizationId="sales-emea" ;


In the above example, only the OAuth provider’s sasl.loginoauthbearer.token.endpoint.uri has been specified as well as an override of the default for sasl.login.connect.timeout.ms. The values for for clientId and clientSecret as as provided by the OAuth provider for an “API” or “machine-to-machine” account are required in the JAAS configuration. The optional optional scope value will allow the inclusion of a scope parameter when requesting the token.

Notice that there are two is also a SASL extension configuration values in this example too: e extension_supportFeatureX and extension_organizationId. These Extensions will be ignored during the OAuth token retrieval step, but will be passed to the broker through the existing SASL extension mechanism from KIP-342.

...

There are several configuration options for this callback handler. Since there are no sensitive configuration options, they are all in the top-level configuration:. The configuration can be top-level or scoped to a specific listener with the listener prefix listener.name.<listener name>.oauthbearer. Here are the configuration options:

  • sasl.oauthbearer.jwks.endpoint.uri: OAuth issuer's JWK Set endpoint URI from which to retrieve the set of JWKs managed by the provider; this can be a file://-based URL that points to a broker file system-accessible file-based copy of the JWKS data. This allows the JWKS data to be updated on the file system and refreshed on the broker when the file is updated, thus avoiding any HTTP(S) communication with the OAuth/OIDC provider

  • listenersasl.name.<listener name>.oauthbearer.sasl.jwks.refresh.interval.ms: optional value in milliseconds for how often to refresh the JWKS from the URL pointed to by listener.name.<listener name>.oauthbearer.saslsasl.oauthbearer.jwks.endpoint.uri. Only used when using an HTTP(S)-based URI for listener.name.<listener name>sasl.oauthbearer.sasl.jwks.endpoint.uri. Defaults to 3600000 (1 hour)

  • listenersasl.name.<listener name>.oauthbearer.sasl.oauthbearer.sub.claim.name: name of the scope from which to extract the subject claim from the JWT; defaults to sub

  • listener.name.<listener name>sasl.oauthbearer.sasl.scope.claim.name: name of the scope from which to extract the scope claim from the JWT; defaults to scope

  • listener.name.<listener name>sasl.oauthbearer.sasl.clock.skew.seconds: optional value in seconds for the clock skew between the OAuth/OIDC provider and the broker. Only used when using an HTTP(S)-based URI for listener.name.<listener name>sasl.oauthbearer.sasl.jwks.endpoint.uri. Defaults to 30
  • listenersasl.name.<listener name>.oauthbearer.sasl.expected.audience: The (optional) comma-delimited setting for the broker to use to verify that the JWT was issued for one of the expected audiences. The JWT will be inspected for the standard OAuth aud claim and if this configuration option is set, the broker will match the value from JWT's aud claim to see if there is an exact match. If there is no match, the broker will reject the JWT and authentication will fail.
  • listener.name.<listener name>.oauthbearer.saslsasl.oauthbearer.expected.issuer: Optional setting for the broker to use to verify that the JWT was created by the expected issuer. The JWT will be inspected for the standard OAuth iss claim and if this configuration option is set, the broker will match the value from JWT's iss claim to see if there is an exact match. If there is no match, the broker will reject the JWT and authentication will fail.

...

listener.name.<listener name>.oauthbearer.sasl.login.callback.handler.class=o.a.k...OAuthBearerValidatorCallbackHandler
listener.name.<listener name>.oauthbearer.sasl.jaas.config=...OAuthBearerLoginModule required;
sasl.oauthbearer.jwks.endpoint.uri=https://myidp.example.com/oauth2/default/v1/keys
listener.name.<listener name>sasl.oauthbearer.saslscope.jaasclaim.config=o.a.k...OAuthBearerLoginModule required \
scopeClaimName="scp" ;name=scp


In the above configuration the broker points to the appropriate OAuth provider listener.name.<listener name>sasl.oauthbearer.sasl.jwks.endpoint.uri to to retrieve a the set of JWKs for validation. In this example, a non-default value for scopeClaimNamefor sasl.oauthbearer.scope.claim.name has been provided because the provider uses scp for the name of the scope claim in the JWT it produces.

...