Oauth client assertion support #211
Conversation
Signed-off-by: Robbert van Waveren <robbert1@gmail.com>
…ProviderTest.java Co-authored-by: Marko Strukelj <marko.strukelj@gmail.com> Signed-off-by: Robbert van Waveren <robbert1@gmail.com>
Signed-off-by: Robbert van Waveren <robbert1@gmail.com>
|
this PR now has DCO signoff and grants maintainer edit rights |
…on-support' into oauth-client-assertion-support
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
|
I added a better description. |
|
@mstruk Same as the other PR. The Travis tests do not seem to run here. |
There was a problem hiding this comment.
We shouldn't assume that people trying to use this understand what they're doing. Even if they do it's easy to become focussed on "making it work" and forget about all the steps needed to actually make it secure. so I think:
- the README should recommend the use of filesystem permissions to protect tokens on disk.
- we should consider, when the OS is unix, checking the file permissions and failing if they token files are readable by all, or the group. Obviously this doesn't provide any protection on non-unix, but it's better than nothing in my opinion.
| @@ -193,11 +215,20 @@ private long getHttpRetryPauseMillis(ClientConfig config, int retries) { | |||
| return retryPauseMillis; | |||
| } | |||
|
|
|||
| private TokenProvider createProvider(final String token, final String tokenLocation) { | |||
| if (tokenLocation != null) { | |||
There was a problem hiding this comment.
Do we want to accept the case where both parameters are non-null? It's ambiguous what the user's intent is in this case.
There was a problem hiding this comment.
I aded a logic that if both are set, the location (file) is used rather than the token, and warning is logged.
| * @throws IllegalStateException If the response from the authorization server could not be handled | ||
| */ | ||
| @SuppressWarnings("checkstyle:ParameterNumber") | ||
| public static TokenInfo loginWithClientAssertion(URI tokenEndpointUrl, SSLSocketFactory socketFactory, |
There was a problem hiding this comment.
Can we put each parameter on a separate line.
| * @throws IllegalStateException If the response from the authorization server could not be handled | ||
| */ | ||
| @SuppressWarnings("checkstyle:ParameterNumber") | ||
| public static TokenInfo loginWithClientAssertion(URI tokenEndpointUrl, SSLSocketFactory socketFactory, |
There was a problem hiding this comment.
Can we put each parameter on a separate line.
There was a problem hiding this comment.
I aded logic that if both are set, the location (file) is used rather than the token, and warning is logged.
Good point, I'll add some docs to address this.
Failing is a harsh reaction to this. Especially if an external mechanism takes care of mounting a filesystem so it's all automatic and possibly out of your control. I would prefer to log a warning, but not fail. WDYT? |
Co-authored-by: Tom Bentley <tombentley@users.noreply.github.com> Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
The 'possibly out of your control point' is a good one. So I guess logging a warning is reasonable. |
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
|
The 'env:ENV_VARIABLE_NAME' feature doesn't seem to add any capability that couldn't be performed before. Also rather than conflating such a feature with the current PR it is better to introduce it separately if at all. Also, there is a possibility of unexpected behaviour, for example using It is already the case that when a configuration option is resolved the resolution tries several different override possibilities in a specific order as implemented here and documented here. First, if the system property exists with the same name it overrides the JAAS configured attribute. Second, if the env variable with the same name exists that is used. Third, if the env variable exists with the name equal to configuration key converted to all caps and underscores then that one is used. Only if there are no overrides via System properties and env vars the config parameter as configured via JAAS is used. According to these rules using |
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
|
I don’t see how the logic you refer to performs the substitution of the TOKEN_FILE env variable for its actual content. The original intent of this PR is support for MS Azure Workload Identity which injects certain env vars into the execution environment. Which is the main (only) practical use-case for this PR. Note that this means that these env var names are not configurable so these should be piped towards this libs configs parama/vars. |
|
@robbertvanwaveren Can you give an example or provide a failing test? Substitution happens in your kafka-client.yaml (or whatever you call the yaml file that you use) when setting environment vars for the pod. |
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
|
I'm thinking of renaming the I wonder what others think? |
|
Actually that won't work as there are existing previous options that refer to files and are called |
|
@tombentley Do you think this needs another review (specifically, the file permissions check)? |
Signed-off-by: Marko Strukelj <marko.strukelj@gmail.com>
|
Travis CI integration not working again. My local run of the full testsuite has been passing on this one for a long time. If some Travis CI issues appear during release of the next version we'll fix it then. This PR has been a long time in the making. Many thanks to everyone who contributed, and especially @robbertvanwaveren for the initial development and continued engagement. |
This PR adds support for Kafka clients to obtain an access token by authenticating to the authorization server with client assertion as specified by https://www.rfc-editor.org/rfc/rfc7523 and https://www.rfc-editor.org/rfc/rfc7521. The assertion can be provided by an external mechanism and available as a file on the file system or it can be explicitly set through OAuth configuration before running the Kafka client.
In addition, the static access token or refresh token can now be provided as a file on the local filesystem.
The following new configuration options have been added by this PR:
oauth.client.assertionoauth.client.assertion.locationoauth.client.assertion.typeoauth.refresh.token.locationoauth.access.token.location