Versions Compared

Old Version 25

changes.mady.by.user Stanislav Kozlovski

Saved on

compared with

New Version Current

changes.mady.by.user Stanislav Kozlovski

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

New JAAS config option for default, unsecured bearer tokens - `unsecuredLoginExtension_<extensionname>` (as shown in the "Example" paragraph). The name "auth" is not supported as a custom extension name with any SASL/OAUTHBEARER mechanism, including the unsecured one, since it is reserved by the specification for what is normally sent in the HTTP Authorization header. An attempt to use it will result in an exception on the client. There are also additional regex validations for extension name and values to ensure they conform to the OAuth standard. The SASL/OAUTHBEARER standard (specifically, https://tools.ietf.org/html/rfc7628#section-3.1)
The server can further validate the extensions via its pluggable callback handler.

...

Code Block
languagejava
package org.apache.kafka.common.security.oauthbearer;

/**
 * A {@code Callback} for use by the {@code SaslServer} implementation when it
 * needs to validate the SASL extensions for the OAUTHBEARER mechanism
 * Callback handlers should use the {@link #validate(String)}
 * method to communicate valid extensions back to the SASL server.
 * Callback handlers should use the
 * {@link #error(String, String)} method to communicate validation errors back to
 * the SASL Server.
 * As per RFC-7628 (https://tools.ietf.org/html/rfc7628#section-3.1), unknown extensions must be ignored by the server.
 * The callback handler implementation should simply ignore unknown extensions,
 * not calling {@link #error(String, String)} nor {@link #validate(String)}.
 * Callback handlers should communicate other problems by raising an {@code IOException}.
 * <p>
 * The OAuth bearer token is provided in the callback for better context in extension validation.
 * It is very important that token validation is done in its own {@link OAuthBearerValidatorCallback}
 * irregardless of provided extensions, as they are inherently insecure.
 */
public class OAuthBearerExtensionsValidatorCallback implements Callback {

    public OAuthBearerExtensionsValidatorCallback(OAuthBearerToken token, SaslExtensions extensions)

    /**
     * @return {@link OAuthBearerToken} the (potentially null)OAuth bearer token of the client
     */
    public OAuthBearerToken token()

    /**
     * @return {@link SaslExtensions} consisting of the unvalidated extension names and values that were sent by the client
     */
    public SaslExtensions extensionsinputExtensions()

    /**
     * @return (potentiallyan null)unmodifiable {@link OAuthBearerTokenMap} consisting of the OAuthvalidated bearerand tokenrecognized ofby the client server extension names and values
     */
    public OAuthBearerToken tokenMap<String, String> validatedExtensions()

    /**
     * @return (potentially null) name An immutable {@link Map} consisting of the name->error messages of extensionextensions which causedfailed validation failure
     */
    public Map<String, StringString> invalidExtensionNameinvalidExtensions()

    /**
     * @return (potentially null) message further describing reason of validation failure Validates a specific extension in the original {@code inputExtensions} map
     * @param extensionName - the name of the extension which was validated
     */
    public void validate(String errorMessage(extensionName)

    /**
     * Set the error values if extensionvalue for a specific extension key-value pair if validation has failed
     *
     * @param invalidExtensionName
     *            the mandatory extension name which caused the validation failure
     * @param errorMessage
     *            optional error message describing why the validation failed
     */
    public void error(String invalidExtensionName, String errorMessage)
}

...