...
See Rejected Alternatives: Callback Handlers and Callbacks
We define the abstract base class org.apache.kafka.common.security.oauthbearer.OAuthBearerCallbackHandler
as the base class for all callback handlers related to SASL/OAUTHBEARER. We define the org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallback
class as the callback class for communicating that we want to retrieve a token, and we define the org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallback
class as the callback class for communicating that we want to validate a token compact serialization value.
...
The third callback handler defines the validation mechanism that the SASL Server uses to validate an OAuth 2 bearer token. This callback handler must be set via the listener.name.sasl_ssl.oauthbearer.sasl.server.callback.handler.class
broker configuration property, and it must recognize OAuthBearerValidatorCallback
. The implementation we provide is the org.apache.kafka.common.security.oauthbearer.OAuthBearerUnsecuredValidatorCallbackHandler
unsecured JWT validator. It accepts JAAS options as described in the below Javadoc, and it exists both to provide a way to test the overall SASL/OAUTHBEARER feature set as well as to provide an out-of-the-box implementation for users. An alternative callback handler must be written for production use.
The validated token will be available as a negotiated property on the SASL Server instance with the key OAUTHBEARER.token
so it can be used for authorization as per KIP-189. Note that the implementation of the SASL Server itself is not part of the public interface – just the key where it makes the validated token available.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
package org.apache.kafka.common.security.oauthbearer; /** * Base class for all SASL/OAUTHBEARER callback handlers. It is a requirement * that SASL/OAUTHBEARER is the only SASL mechanism configuration presented to * the code. Specifically, multiple SASL mechanisms configured via the same JAAS * configuration is not supported; use dynamic configuration via the * {@code sasl.jaas.config} property as described in <a href-= * "https://cwiki.apache.org/confluence/display/KAFKA/KIP-226+-+Dynamic+Broker+Configuration">KIP-226</a> * to meet this constraint if necessary. */ public abstract class OAuthBearerCallbackHandler implements AuthenticateCallbackHandler { private Map<String, ?> serverConfig = null; private String mechanism = null; private AppConfigurationEntry jaasConfigEntry = null; private SubstitutableValues substitutableValues = null; /** * Return the server configuration provided during * {@link #configure(Map, String, List)}, if any, otherwise null * * @return the server configuration provided during * {@link #configure(Map, String, List)}, if any, otherwise null */ public Map<String, ?> serverConfig() { return serverConfig; } /** * Return the SASL mechanism provided during * {@link #configure(Map, String, List)}, if any, otherwise null * * @return the SASL mechanism provided during * {@link #configure(Map, String, List)}, if any, otherwise null */ public String mechanism() { return mechanism; } /** * Return the JAAS login module configuration provided during * {@link #configure(Map, String, List)}, if any, otherwise null. * * @return the JAAS login module configuration provided during * {@link #configure(Map, String, List)}, if any, otherwise null */ public AppConfigurationEntry jaasConfigEntry() { return jaasConfigEntry; } /** * Return the substitutableValues as determined via * {@link #configure(Map, String, List)} * * @return the substitutableValues as determined via * {@link #configure(Map, String, List)} */ public SubstitutableValues substitutableValues() { return substitutableValues; } // etc... } |
...