...
Note that the class that implements the refresh logic (org.apache.kafka.common.security.expiring.internals.ExpiringCredentialRefreshingLogin
) is not considered part of the public API. This means that while it is up to the org.apache.kafka.common.security.auth.Login
implementation for a particular mechanism to implement the logic, and that implementation can delegate to ExpiringCredentialRefreshingLogin
to do so (as org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerRefreshingLogin
does), this is something that could only be be done for the built-in SASL mechanisms (e.g. PLAIN, SCRAM-related, and GSSAPI). There is no intent to support an ability to generate credentials that can be refreshed and re-authenticated for non-builtin mechanisms. (Nothing would prevent such mechanisms from using delegating to the class, but it would be unsupported/at their own risk since it is not a public API.)
...