apache · kirktrue · Feb 14, 2025 · Feb 14, 2025 · Feb 15, 2025 · Feb 15, 2025
diff --git a/checkstyle/import-control.xml b/checkstyle/import-control.xml
@@ -143,6 +143,7 @@
         <allow pkg="javax.crypto" />
       </subpackage>
       <subpackage name="oauthbearer">
+        <allow pkg="com.fasterxml.jackson.annotation" />
         <allow pkg="com.fasterxml.jackson.databind" />
         <allow pkg="org.jose4j" />
       </subpackage>

diff --git a/clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java b/clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java
@@ -18,6 +18,8 @@
 
 import org.apache.kafka.common.config.ConfigDef.Range;
 
+import java.util.List;
+
 public class SaslConfigs {
 
     private static final String OAUTHBEARER_NOTE = " Currently applies only to OAUTHBEARER.";
@@ -129,6 +131,16 @@ public class SaslConfigs {
             + " authentication provider."
             + LOGIN_EXPONENTIAL_BACKOFF_NOTE;
 
+
+
+
+
+
+
+
+
+
+
     public static final String SASL_OAUTHBEARER_SCOPE_CLAIM_NAME = "sasl.oauthbearer.scope.claim.name";
     public static final String DEFAULT_SASL_OAUTHBEARER_SCOPE_CLAIM_NAME = "scope";
     public static final String SASL_OAUTHBEARER_SCOPE_CLAIM_NAME_DOC = "The OAuth claim for the scope is often named \"" + DEFAULT_SASL_OAUTHBEARER_SCOPE_CLAIM_NAME + "\", but this (optional)"
@@ -141,6 +153,16 @@ public class SaslConfigs {
             + " setting can provide a different name to use for the subject included in the JWT payload's claims if the OAuth/OIDC provider uses a different"
             + " name for that claim.";
 
+    public static final String SASL_OAUTHBEARER_TOKEN_ENDPOINT_GRANT_TYPE = "sasl.oauthbearer.token.endpoint.grant.type";
+    public static final String DEFAULT_SASL_OAUTHBEARER_TOKEN_ENDPOINT_GRANT_TYPE = "client_credentials";
+    public static final List<String> SUPPORTED_SASL_OAUTHBEARER_TOKEN_ENDPOINT_GRANT_TYPES = List.of(
+            "client_credentials",
+            "urn:ietf:params:oauth:grant-type:jwt-bearer"
+    );
+    public static final String SASL_OAUTHBEARER_TOKEN_ENDPOINT_GRANT_TYPE_DOC = "The grant type used when sending the JWT token to the token endpoint. "
+        + "This should be set explicitly to determine which token retriever to use. The supported values are "
+        + SUPPORTED_SASL_OAUTHBEARER_TOKEN_ENDPOINT_GRANT_TYPES;
+
     public static final String SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL = "sasl.oauthbearer.token.endpoint.url";
     public static final String SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL_DOC = "The URL for the OAuth/OIDC identity provider. If the URL is HTTP(S)-based, it is the issuer's token"
             + " endpoint URL to which requests will be made to login based on the configuration in " + SASL_JAAS_CONFIG + ". If the URL is file-based, it"
@@ -217,6 +239,7 @@ public static void addClientSaslSupport(ConfigDef config) {
                 .define(SaslConfigs.SASL_LOGIN_RETRY_BACKOFF_MS, ConfigDef.Type.LONG, DEFAULT_SASL_LOGIN_RETRY_BACKOFF_MS, ConfigDef.Importance.LOW, SASL_LOGIN_RETRY_BACKOFF_MS_DOC)
                 .define(SaslConfigs.SASL_OAUTHBEARER_SCOPE_CLAIM_NAME, ConfigDef.Type.STRING, DEFAULT_SASL_OAUTHBEARER_SCOPE_CLAIM_NAME, ConfigDef.Importance.LOW, SASL_OAUTHBEARER_SCOPE_CLAIM_NAME_DOC)
                 .define(SaslConfigs.SASL_OAUTHBEARER_SUB_CLAIM_NAME, ConfigDef.Type.STRING, DEFAULT_SASL_OAUTHBEARER_SUB_CLAIM_NAME, ConfigDef.Importance.LOW, SASL_OAUTHBEARER_SUB_CLAIM_NAME_DOC)
+                .define(SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_GRANT_TYPE, ConfigDef.Type.STRING, DEFAULT_SASL_OAUTHBEARER_TOKEN_ENDPOINT_GRANT_TYPE, ConfigDef.Importance.MEDIUM, SASL_OAUTHBEARER_TOKEN_ENDPOINT_GRANT_TYPE_DOC)
                 .define(SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL, ConfigDef.Type.STRING, null, ConfigDef.Importance.MEDIUM, SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL_DOC)
                 .define(SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_URL, ConfigDef.Type.STRING, null, ConfigDef.Importance.MEDIUM, SASL_OAUTHBEARER_JWKS_ENDPOINT_URL_DOC)
                 .define(SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_REFRESH_MS, ConfigDef.Type.LONG, DEFAULT_SASL_OAUTHBEARER_JWKS_ENDPOINT_REFRESH_MS, ConfigDef.Importance.LOW, SASL_OAUTHBEARER_JWKS_ENDPOINT_REFRESH_MS_DOC)

diff --git a/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/AccessTokenRetriever.java b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/AccessTokenRetriever.java
@@ -0,0 +1,64 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.kafka.common.security.oauthbearer;
+
+import java.io.IOException;
+
+import javax.security.auth.spi.LoginModule;
+
+/**
+ * An implementation of <code>AccessTokenRetriever</code> is the means by which the login module will
+ * retrieve an OAuth access token that is used to authorize with a broker. The implementation may
+ * involve authentication to one or more remote systems, or it can be as simple as loading the contents
+ * from a file or configuration setting.
+ *
+ * <i>Retrieval</i> of a token is a separate concern from <i>validation</i>.
+ * <code>AccessTokenRetriever</code> implementations should not validate the integrity of the access
+ * token, but should rely on the companion {@link AccessTokenValidator} for that task.
+ *
+ * @see ClientCredentialsAccessTokenRetriever
+ * @see DefaultAccessTokenRetriever
+ * @see FileAccessTokenRetriever
+ * @see HttpAccessTokenRetriever
+ * @see JwtBearerAccessTokenRetriever
+ */
+public interface AccessTokenRetriever extends OAuthBearerConfigurable {
+
+    /**
+     * <p>
+     * Retrieves a JWT access token in its serialized three-part form. The implementation is free to
+     * determine how it should be retrieved but should not perform validation on the result.
+     * </p>
+     *
+     * <p>
+     * <b>Note</b>: This is a blocking function and callers should be aware that the
+     * implementation may be communicating over a network, with the file system, coordinating
+     * threads, etc. The facility in the {@link LoginModule} from which this is ultimately called does
+     * not provide an asynchronous approach.
+     * </p>
+     *
+     * @return Non-<code>null</code> JWT access token string
+     *
+     * @throws IOException Thrown on errors related to I/O during retrieval
+     */
+    String retrieve() throws IOException;
+
+    @Override
+    default void close() {
+        // Do nothing...
+    }
+}
diff --git a/...ternals/secured/AccessTokenValidator.java → ...ity/oauthbearer/AccessTokenValidator.java b/...ternals/secured/AccessTokenValidator.java → ...ity/oauthbearer/AccessTokenValidator.java
@@ -14,10 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
-package org.apache.kafka.common.security.oauthbearer.internals.secured;
-
-import org.apache.kafka.common.security.oauthbearer.OAuthBearerToken;
+package org.apache.kafka.common.security.oauthbearer;
 
 /**
  * An instance of <code>AccessTokenValidator</code> acts as a function object that, given an access
@@ -40,13 +37,13 @@
  *     <li><a href="https://datatracker.ietf.org/doc/html/draft-ietf-oauth-access-token-jwt">RFC 6750, Section 2.1</a></li>
  * </ul>
  *
- * @see LoginAccessTokenValidator A basic AccessTokenValidator used by client-side login
- *                                authentication
- * @see ValidatorAccessTokenValidator A more robust AccessTokenValidator that is used on the broker
+ * @see DefaultAccessTokenValidator   Default validator that acts as a wrapper over one of the other validators
+ * @see ClientAccessTokenValidator     A basic AccessTokenValidator used by client-side login
+ *                                    authentication
+ * @see BrokerAccessTokenValidator A more robust AccessTokenValidator that is used on the broker
  *                                    to validate the token's contents and verify the signature
  */
-
-public interface AccessTokenValidator {
+public interface AccessTokenValidator extends OAuthBearerConfigurable {
 
     /**
      * Accepts an OAuth JWT access token in base-64 encoded format, validates, and returns an
@@ -56,9 +53,13 @@ public interface AccessTokenValidator {
      *
      * @return {@link OAuthBearerToken}
      *
-     * @throws ValidateException Thrown on errors performing validation of given token
+     * @throws InvalidJwtException Thrown on errors performing validation of given token
      */
 
-    OAuthBearerToken validate(String accessToken) throws ValidateException;
+    OAuthBearerToken validate(String accessToken) throws InvalidJwtException;
 
+    @Override
+    default void close() {
+        // Do nothing...
+    }
 }