...
Because the HTTP call made to the OAuth/OIDC provider may time out or transiently fail, there will be a retry mechanism that waits between waits between attempts. The number of attempts that are made (including the first attempt) are configured via the loginAttempts
configuration setting. The retry will use an variable as it uses an exponential backoff approach; the first attempt to connect to the HTTP endpoint will be made immediately. If that first attempt fails, a second attempt will first wait a configurable number of milliseconds–loginRetryWaitMs–
loginRetryBackoffMs–
before trying again. If that second attempt fails, the wait time (loginRetryWaitMs
loginRetryBackoffMs
) will be doubled before a third attempt. This pattern repeats as needed up to loginAttempts
. However, there is also a configurable maximum wait time between attempts–loginRetryMaxWaitMs
–such that loginRetryWaitMs
<= loginRetryMaxWaitMs
, regardless of the number of attempts: min(currentRetryWaitMs, loginRetryMaxWaitMs)
the maximum of loginRetryMaxBackoffMs
.
There are several configuration options for this callback handler. Sensitive configuration options and SASL extensions appear under the JAAS configuration (sasl.jaas.config
) while the rest are top-level configuration.
...
sasl.oauthbearer.token.endpoint.uri
: OAuth issuer token endpoint URIsasl.oauthbearer.scope.claim.name
: optional override name of the scope claim; defaults toscope
sasl.oauthbearer.sub.claim.name
: optional override name of the sub claim; defaults tosub
sasl.login.connect.timeout.ms
: optional value in milliseconds for HTTPS connect timeout; defaults to10000
sasl.login.read.timeout.ms
: optional value in milliseconds for HTTPS read timeout; defaults to10000
sasl.login.attempts
: optional number of attempts to make to connect to the OAuth/OIDC identity provider; defaults to3
sasl.login.retry.waitbackoff.ms
: optional value in milliseconds for the amount of time to wait between HTTPS call attempts; defaults to 250 100sasl.login.retry.max.waitbackoff.ms
: optional value in milliseconds for the maximum wait between for HTTPS call attempts (as described above); defaults to10000
...
Warning |
---|
If the the URL or file that is specified cannot be read, the broker will fail to start up. In the case of an HTTP(S)-based URI, the configured configured It is also important that the JWKS is retrieved before the broker's ports are opened. Otherwise clients that connect to the broker before the JWKS is retrieved will experience spurious authentication failures (e.g. during broker restarts). |
...
In addition to unit and integration tests, there will be a standalone tool in the tools
directory/module named org.apache.kafka.tools.OAuthCompatibilityTestOAuthCompatibilityTool
. This test can be run via the existing bin/kafka-run-class.sh
script thusly:
...
./bin/kafka-run-class.sh org.apache.kafka.tools.OAuthCompatibilityTestOAuthCompatibilityTool \
--client-id foo \
--client-secret bar \
--token-endpoint-uri https://example.com/oauth2/v1/token \
--jwks-endpoint-uri https://example.com/oauth2/v1/keys
...