Versions Compared

Old Version 21

changes.mady.by.user Kirk True

Saved on

compared with

New Version Current

changes.mady.by.user Kirk True

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Current stateApproved for 3.1.0 (WIP)

Discussion thread: here

JIRA: KAFKA-13202

...

  • sasl.oauthbearer.jwks.endpoint.url: OAuth issuer's JWK Set endpoint URL from which to retrieve the set of JWKs managed by the provider; this can be a file://-based URL that points to a broker file system-accessible file-based copy of the JWKS data. This allows the JWKS data to be updated on the file system and refreshed on the broker when the file is updated, thus avoiding any HTTP(S) communication with the OAuth/OIDC provider

  • sasl.oauthbearer.jwks.endpoint.refresh.interval.ms: optional value in milliseconds for how often to refresh the JWKS from the URL pointed to by sasl.oauthbearer.jwks.endpoint.url. Only used when using an HTTP(S)-based URL for sasl.oauthbearer.jwks.endpoint.url. Defaults to 3600000 (1 hour)

  • sasl.oauthbearer.jwks.endpoint.subretry.claimbackoff.name: name of the scope from which to extract the subject claim from the JWT; defaults to subms: optional value in milliseconds for the amount of time to wait between HTTPS call attempts to retrieve the JWKS; only used when using an HTTP(S)-based URL for sasl.oauthbearer.scopejwks.endpoint.url ; defaults to 100
  • sasl.oauthbearer.jwks.endpoint.retry.backoff.max.ms: optional value in milliseconds for the maximum wait for HTTPS call attempts to retrieve the JWKS; only used when using an HTTP(S)-based URL for sasl.oauthbearer.jwks.endpoint.url ; defaults to 10000

  • sasl.oauthbearer.sub.claim.name: name claim.name: name of the scope from which to extract the subject claim from the JWT; defaults to sub

  • sasl.oauthbearer.scope.claim.name: name of the scope from which to extract the scope claim from the JWT; defaults to scope

  • sasl.oauthbearer.clock.skew.seconds: optional value in seconds for the clock skew between the OAuth/OIDC provider and the broker. Only used when using an HTTP(S)-based URL for sasl.oauthbearer.jwks.endpoint.url. Defaults to 30
  • sasl.oauthbearer.expected.audience: The (optional) comma-delimited setting for the broker to use to verify that the JWT was issued for one of the expected audiences. The JWT will be inspected for the standard OAuth aud claim and if this configuration option is set, the broker will match the value from JWT's aud claim to see if there is an exact match. If there is no match, the broker will reject the JWT and authentication will fail.
  • sasl.oauthbearer.expected.issuer: Optional setting for the broker to use to verify that the JWT was created by the expected issuer. The JWT will be inspected for the standard OAuth iss claim and if this configuration option is set, the broker will match the value from JWT's iss claim to see if there is an exact match. If there is no match, the broker will reject the JWT and authentication will fail.

...

listener.name.<listener name>.oauthbearer.sasl.loginserver.callback.handler.class=...OAuthBearerValidatorCallbackHandler
listener.name.<listener name>.oauthbearer.sasl.jaas.config=...OAuthBearerLoginModule required;
sasl.oauthbearer.jwks.endpoint.url=https://myidp.example.com/oauth2/default/v1/keys
sasl.oauthbearer.scope.claim.name=scp

...

In the above configuration the broker points to the appropriate OAuth provider sasl.oauthbearer.jwks.endpoint.url to retrieve a the set of JWKs for validation. In this example, a non-default value for sasl.oauthbearer.scope.claim.name has been provided because the provider uses scp for the name of the scope claim in the JWT it produces.

JWKS Management Logic

The JSON Web Key Set (JWKS) is a JSON document that lists the keys provided by which the OAuth/OIDC provider has signed the JWTthat lists the keys used to sign the JWTs it issues.

Here is a sample JWKS JSON document:

...