Class JwtBearerJwtRetriever
java.lang.Object
org.apache.kafka.common.security.oauthbearer.JwtBearerJwtRetriever
- All Implemented Interfaces:
Closeable,AutoCloseable,org.apache.kafka.common.security.oauthbearer.internals.secured.OAuthBearerConfigurable,JwtRetriever
JwtBearerJwtRetriever is a JwtRetriever that performs the steps to request
a JWT from an OAuth/OIDC identity provider using the urn:ietf:params:oauth:grant-type:jwt-bearer
grant type. This grant type is used for machine-to-machine "service accounts".
This JwtRetriever is enabled by specifying its class name in the Kafka configuration.
For client use, specify the class name in the sasl.oauthbearer.jwt.retriever.class
configuration like so:
sasl.oauthbearer.jwt.retriever.class=org.apache.kafka.common.security.oauthbearer.JwtBearerJwtRetrieverIf using this
JwtRetriever on the broker side (for inter-broker communication), the configuration
should be specified with a listener-based property:
listener.name.<listener name>.oauthbearer.sasl.oauthbearer.jwt.retriever.class=org.apache.kafka.common.security.oauthbearer.JwtBearerJwtRetrieverThe
JwtBearerJwtRetriever also uses the following configuration:
sasl.oauthbearer.assertion.algorithmsasl.oauthbearer.assertion.claim.audsasl.oauthbearer.assertion.claim.exp.secondssasl.oauthbearer.assertion.claim.isssasl.oauthbearer.assertion.claim.jti.includesasl.oauthbearer.assertion.claim.nbf.secondssasl.oauthbearer.assertion.claim.subsasl.oauthbearer.assertion.filesasl.oauthbearer.assertion.private.key.filesasl.oauthbearer.assertion.private.key.passphrasesasl.oauthbearer.assertion.template.filesasl.oauthbearer.jwt.retriever.classsasl.oauthbearer.scopesasl.oauthbearer.token.endpoint.url
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required ; sasl.oauthbearer.assertion.algorithm=RS256 sasl.oauthbearer.assertion.claim.aud=my-application-audience sasl.oauthbearer.assertion.claim.exp.seconds=600 sasl.oauthbearer.assertion.claim.iss=my-oauth-issuer sasl.oauthbearer.assertion.claim.jti.include=true sasl.oauthbearer.assertion.claim.nbf.seconds=120 sasl.oauthbearer.assertion.claim.sub=kafka-app-1234 sasl.oauthbearer.assertion.private.key.file=/path/to/private.key sasl.oauthbearer.assertion.private.key.passphrase=$3cr3+ sasl.oauthbearer.assertion.template.file=/path/to/assertion-template.json sasl.oauthbearer.jwt.retriever.class=org.apache.kafka.common.security.oauthbearer.JwtBearerJwtRetriever sasl.oauthbearer.scope=my-application-scope sasl.oauthbearer.token.endpoint.url=https://example.com/oauth2/v1/token
-
Constructor Summary
Constructors -
Method Summary
-
Constructor Details
-
JwtBearerJwtRetriever
public JwtBearerJwtRetriever() -
JwtBearerJwtRetriever
public JwtBearerJwtRetriever(org.apache.kafka.common.utils.Time time)
-
-
Method Details
-
configure
public void configure(Map<String, ?> configs, String saslMechanism, List<AppConfigurationEntry> jaasConfigEntries) - Specified by:
configurein interfaceorg.apache.kafka.common.security.oauthbearer.internals.secured.OAuthBearerConfigurable
-
retrieve
Description copied from interface:JwtRetrieverRetrieves a JWT access token in its serialized three-part form. The implementation is free to determine how it should be retrieved but should not perform validation on the result. Note: This is a blocking function and callers should be aware that the implementation may be communicating over a network, with the file system, coordinating threads, etc. The facility in theLoginModulefrom which this is ultimately called does not provide an asynchronous approach.- Specified by:
retrievein interfaceJwtRetriever- Returns:
- Non-
nullJWT access token string - Throws:
JwtRetrieverException- Thrown on errors related to IO during retrieval
-
close
- Specified by:
closein interfaceAutoCloseable- Specified by:
closein interfaceCloseable- Specified by:
closein interfaceorg.apache.kafka.common.security.oauthbearer.internals.secured.OAuthBearerConfigurable- Throws:
IOException
-