[
https://issues.apache.org/jira/browse/KAFKA-13848?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Luke Chen updated KAFKA-13848:
------------------------------
Fix Version/s: 3.3.0
> Clients remain connected after SASL re-authentication fails
> -----------------------------------------------------------
>
> Key: KAFKA-13848
> URL: https://issues.apache.org/jira/browse/KAFKA-13848
> Project: Kafka
> Issue Type: Bug
> Components: clients
> Affects Versions: 3.1.0
> Environment: https://github.com/acsaki/kafka-sasl-reauth
> Reporter: Andras Csaki
> Assignee: Andras Csaki
> Priority: Minor
> Labels: Authentication, OAuth2, SASL
> Fix For: 3.3.0
>
>
> Clients remain connected and able to produce or consume despite an expired
> OAUTHBEARER token.
> The problem can be reproduced using the
> https://github.com/acsaki/kafka-sasl-reauth project by starting the embedded
> OAuth2 server and Kafka, then running the long running consumer in
> OAuthBearerTest and then killing the OAuth2 server thus making the client
> unable to re-authenticate.
> Root cause seems to be
> SaslServerAuthenticator#calcCompletionTimesAndReturnSessionLifetimeMs failing
> to set ReauthInfo#sessionExpirationTimeNanos when tokens have already expired
> (when session life time goes negative), in turn causing
> KafkaChannel#serverAuthenticationSessionExpired returning false and finally
> SocketServer not closing the channel.
> The issue is observed with OAUTHBEARER but seems to have a wider impact on
> SASL re-authentication.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
