kirktrue commented on code in PR #19754:
URL: https://github.com/apache/kafka/pull/19754#discussion_r2114876293
##########
clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java:
##########
@@ -129,6 +130,186 @@ public class SaslConfigs {
+ " authentication provider."
+ LOGIN_EXPONENTIAL_BACKOFF_NOTE;
+ public static final String SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS =
"sasl.oauthbearer.jwt.retriever.class";
+ public static final String DEFAULT_SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS =
"org.apache.kafka.common.security.oauthbearer.DefaultJwtRetriever";
+ public static final String SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS_DOC =
"<p>The fully-qualified class name of a <code>JwtRetriever</code>
implementation used to"
+ + " request tokens from the identity provider.</p>"
+ + "<p>The default configuration value represents a class that
maintains backward compatibility with previous versions of"
+ + " Apache Kafka. The default implementation uses the configuration to
determine which concrete implementation to create."
+ + "<p>Other implementations that are provided include:</p>"
+ + "<ul>"
+ +
"<li><code>org.apache.kafka.common.security.oauthbearer.ClientCredentialsJwtRetriever</code></li>"
+ +
"<li><code>org.apache.kafka.common.security.oauthbearer.DefaultJwtRetriever</code></li>"
+ +
"<li><code>org.apache.kafka.common.security.oauthbearer.FileJwtRetriever</code></li>"
+ +
"<li><code>org.apache.kafka.common.security.oauthbearer.JwtBearerJwtRetriever</code></li>"
+ + "</ul>";
+
+ public static final String SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS =
"sasl.oauthbearer.jwt.validator.class";
+ public static final String
DEFAULT_BROKER_SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS =
"org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator";
+ public static final String
DEFAULT_CLIENT_SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS =
"org.apache.kafka.common.security.oauthbearer.ClientJwtValidator";
+ public static final String SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS_DOC =
"<p>The fully-qualified class name of a <code>JwtValidator</code>
implementation used to"
+ + " validate the JWT from the identity provider.</p>"
+ + "<p>The default configuration value represents a class that
maintains backward compatibility with previous versions of"
+ + " Apache Kafka. The default implementation uses the configuration to
determine which concrete implementation to create."
+ + "<p>Other implementations that are provided include:</p>"
+ + "<ul>"
+ +
"<li><code>org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator</code></li>"
+ +
"<li><code>org.apache.kafka.common.security.oauthbearer.ClientJwtValidator</code></li>"
+ +
"<li><code>org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator</code></li>"
+ + "</ul>";
+
+ public static final String SASL_OAUTHBEARER_GRANT_TYPE =
"sasl.oauthbearer.grant.type";
+ public static final String DEFAULT_SASL_OAUTHBEARER_GRANT_TYPE =
"client_credentials";
+ public static final String SASL_OAUTHBEARER_GRANT_TYPE_DOC = "The OAuth
grant type to use when communicating with the identity provider. On the whole,
the"
+ + " OAuth layer does not rely on this value and expects it to be used
and/or verified for correctness by the <code>JwtRetriever</code>
implementation."
+ + " The default value of <code>client_credentials</code> maintains
backward compatibility. The built-in grant types are:"
+ + "<ul>"
+ + "<li><code>client_credentials</code></li>"
+ + "<li><code>urn:ietf:params:oauth:grant-type:jwt-bearer</code></li>"
+ + "</ul>"
+ + "<p>The OAuth code in Apache Kafka does not limit the values that
are used. A user can write a custom <code>JwtRetriever</code> implementation
that uses"
+ + " a completely different grant type, if desired.</p>";
+
+ public static final String SASL_OAUTHBEARER_SCOPE =
"sasl.oauthbearer.scope";
+ public static final String SASL_OAUTHBEARER_SCOPE_DOC = "<p>This is the
level of access a client application is granted to a resource or API which is"
+ + " included in the token request. If provided, it should match one or
more scopes configured in the identity provider.</p>"
+ + "<p>"
+ + "The scope was previously stored as part of the
<code>sasl.jaas.config</code> configuration with the key <code>scope</code>."
+ + " For backward compatibility, the <code>scope</code> JAAS option can
still be used, but it is deprecated and will be removed in a future version."
+ + "</p>"
+ + "<p>Order of precedence:</p>"
+ + "<ul>"
+ + "<li><code>sasl.oauthbearer.scope</code> from configuration</li>"
+ + "<li><code>scope</code> from JAAS</li>"
+ + "</ul>";
+
+ public static final String SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_ID =
"sasl.oauthbearer.client.credentials.client.id";
+ public static final String
SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_ID_DOC = "<p>The ID (defined in/by
the OAuth identity provider) to identify the client" +
+ " requesting the token.</p>"
+ + "<p>"
+ + "The client ID was previously stored as part of the
<code>sasl.jaas.config</code> configuration with the key <code>clientId</code>."
+ + " For backward compatibility, the <code>clientId</code> JAAS option
can still be used, but it is deprecated and will be removed in a future
version."
+ + "</p>"
+ + "<p>Order of precedence:</p>"
+ + "<ul>"
+ + "<li><code>sasl.oauthbearer.client.credentials.client.id</code> from
configuration</li>"
+ + "<li><code>clientId</code> from JAAS</li>"
+ + "</ul>";
+
+ public static final String
SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_SECRET =
"sasl.oauthbearer.client.credentials.client.secret";
+ public static final String
SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_SECRET_DOC = "<p>The secret (defined
by either the user or preassigned, depending on the"
+ + " identity provider) of the client requesting the token.</p>"
+ + "<p>"
+ + "The client secret was previously stored as part of the
<code>sasl.jaas.config</code> configuration with the key
<code>clientSecret</code>."
+ + " For backward compatibility, the <code>clientSecret</code> JAAS
option can still be used, but it is deprecated and will be removed in a future
version."
+ + "</p>"
+ + "<p>Order of precedence:</p>"
+ + "<ul>"
+ + "<li><code>sasl.oauthbearer.client.credentials.client.secret</code>
from configuration</li>"
+ + "<li><code>clientSecret</code> from JAAS</li>"
+ + "</ul>";
+
+ private static final String ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE =
"<p><em>Note</em>: If a value for <code>sasl.oauthbearer.assertion.file</code>
is provided,"
+ + " this configuration will be ignored.</p>";
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_ALGORITHM =
"sasl.oauthbearer.assertion.algorithm";
+ public static final String DEFAULT_SASL_OAUTHBEARER_ASSERTION_ALGORITHM =
"RS256";
+ public static final String SASL_OAUTHBEARER_ASSERTION_ALGORITHM_DOC =
"<p>The algorithm the Apache Kafka client should use to sign the assertion sent"
+ + " to the identity provider. It is also used as the value of the
OAuth <code>alg</code> (Algorithm) header in the JWT assertion.</p>"
+ + ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE;
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_AUD =
"sasl.oauthbearer.assertion.claim.aud";
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_AUD_DOC =
"<p>The JWT <code>aud</code> (Audience) claim which will be included in the "
+ + " client JWT assertion created locally.</p>"
+ + ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE;
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_EXP_SECONDS =
"sasl.oauthbearer.assertion.claim.exp.seconds";
+ public static final int
DEFAULT_SASL_OAUTHBEARER_ASSERTION_CLAIM_EXP_SECONDS = 300;
+ public static final String
SASL_OAUTHBEARER_ASSERTION_CLAIM_EXP_SECONDS_DOC = "<p>The number of seconds
<em>in the future</em> for which the JWT is valid."
+ + " The value is used to determine the JWT <code>exp</code>
(Expiration) claim based on the current system time when the JWT is
created.</p>"
+ + "<p>The formula to generate the <code>exp</code> claim is very
simple:</p>"
+ + "<pre>"
+ + "Let:\n\n"
+ + " x = the current timestamp in seconds, on client\n"
+ + " y = the value of this configuration\n"
+ + "\n"
+ + "Then:\n\n"
+ + " exp = x + y\n"
+ + "</pre>"
+ + ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE;
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_ISS =
"sasl.oauthbearer.assertion.claim.iss";
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_ISS_DOC =
"<p>The value to be used as the <code>iss</code> (Issuer) claim which will be
included in the"
+ + " client JWT assertion created locally.</p>"
+ + ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE;
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_JTI_INCLUDE =
"sasl.oauthbearer.assertion.claim.jti.include";
+ public static final boolean
DEFAULT_SASL_OAUTHBEARER_ASSERTION_CLAIM_JTI_INCLUDE = false;
+ public static final String
SASL_OAUTHBEARER_ASSERTION_CLAIM_JTI_INCLUDE_DOC = "<p>Flag that determines if
the JWT assertion should generate a unique ID for the"
+ + " JWT and include it in the <code>jti</code> (JWT ID) claim.</p>"
+ + ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE;
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_NBF_SECONDS =
"sasl.oauthbearer.assertion.claim.nbf.seconds";
+ public static final int
DEFAULT_SASL_OAUTHBEARER_ASSERTION_CLAIM_NBF_SECONDS = 60;
+ public static final String
SASL_OAUTHBEARER_ASSERTION_CLAIM_NBF_SECONDS_DOC = "<p>The number of seconds
<em>in the past</em> from which the JWT is valid."
+ + " The value is used to determine the JWT <code>nbf</code> (Not
Before) claim based on the current system time when the JWT is created.</p>"
+ + "<p>The formula to generate the <code>nbf</code> claim is very
simple:</p>"
+ + "<pre>"
+ + "Let:\n\n"
+ + " x = the current timestamp in seconds, on client\n"
+ + " y = the value of this configuration\n"
+ + "\n"
+ + "Then:\n\n"
+ + " nbf = x - y\n"
+ + "</pre>"
+ + ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE;
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_SUB =
"sasl.oauthbearer.assertion.claim.sub";
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_SUB_DOC =
"<p>The value to be used as the <code>sub</code> (Subject) claim which will be
included in the"
+ + " client JWT assertion created locally.</p>"
+ + ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE;
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_FILE =
"sasl.oauthbearer.assertion.file";
+ public static final String SASL_OAUTHBEARER_ASSERTION_FILE_DOC = "<p>File
that contains a <em>pre-generated</em> JWT assertion.</p>"
+ + "<p>The underlying implementation caches the file contents to avoid
the performance hit of loading the file on each access. The caching mechanism
will detect when"
+ + "the file changes to allow for the file to be reloaded on
modifications. This allows for "live" assertion rotation without
restarting the Kafka client.</p>"
+ + "<p>The file is the assertion in the serialized, three part JWT
format:</p>"
+ + "<ol>"
+ + "<li>The <em>header</em> section is a base 64-encoded JWT header
that contains values like <code>alg</code> (Algorithm),"
+ + " <code>typ</code> (Type, always the literal value
<code>JWT</code>), etc.</li>"
+ + "<li>The <em>payload</em> section includes the base 64-encoded set
of JWT claims, such as <code>aud</code> (Audience), <code>iss</code> (Issuer),"
+ + " <code>sub</code> (Subject), etc.</li>"
+ + "<li>The <em>signature</em> section is the concatenated
<em>header</em> and <em>payload</em> sections that was signed using a private
key</li>"
+ + "</ol>"
+ + "<p>See <a
href=\"https://datatracker.ietf.org/doc/html/rfc7519\";>RFC 7519</a> and <a
href=\"https://datatracker.ietf.org/doc/html/rfc7515\";>RFC 7515</a>"
+ + " for more details on the JWT and JWS formats.</p>"
+ + "<p><em>Note</em>: If a value for
<code>sasl.oauthbearer.assertion.file</code> is provided, all other"
+ + " <code>sasl.oauthbearer.assertion.</code>* configuration are
ignored.</p>";
Review Comment:
Fixed.
##########
clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java:
##########
@@ -129,6 +130,186 @@ public class SaslConfigs {
+ " authentication provider."
+ LOGIN_EXPONENTIAL_BACKOFF_NOTE;
+ public static final String SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS =
"sasl.oauthbearer.jwt.retriever.class";
+ public static final String DEFAULT_SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS =
"org.apache.kafka.common.security.oauthbearer.DefaultJwtRetriever";
+ public static final String SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS_DOC =
"<p>The fully-qualified class name of a <code>JwtRetriever</code>
implementation used to"
+ + " request tokens from the identity provider.</p>"
+ + "<p>The default configuration value represents a class that
maintains backward compatibility with previous versions of"
+ + " Apache Kafka. The default implementation uses the configuration to
determine which concrete implementation to create."
+ + "<p>Other implementations that are provided include:</p>"
+ + "<ul>"
+ +
"<li><code>org.apache.kafka.common.security.oauthbearer.ClientCredentialsJwtRetriever</code></li>"
+ +
"<li><code>org.apache.kafka.common.security.oauthbearer.DefaultJwtRetriever</code></li>"
+ +
"<li><code>org.apache.kafka.common.security.oauthbearer.FileJwtRetriever</code></li>"
+ +
"<li><code>org.apache.kafka.common.security.oauthbearer.JwtBearerJwtRetriever</code></li>"
+ + "</ul>";
+
+ public static final String SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS =
"sasl.oauthbearer.jwt.validator.class";
+ public static final String
DEFAULT_BROKER_SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS =
"org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator";
+ public static final String
DEFAULT_CLIENT_SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS =
"org.apache.kafka.common.security.oauthbearer.ClientJwtValidator";
+ public static final String SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS_DOC =
"<p>The fully-qualified class name of a <code>JwtValidator</code>
implementation used to"
+ + " validate the JWT from the identity provider.</p>"
+ + "<p>The default configuration value represents a class that
maintains backward compatibility with previous versions of"
+ + " Apache Kafka. The default implementation uses the configuration to
determine which concrete implementation to create."
+ + "<p>Other implementations that are provided include:</p>"
+ + "<ul>"
+ +
"<li><code>org.apache.kafka.common.security.oauthbearer.BrokerJwtValidator</code></li>"
+ +
"<li><code>org.apache.kafka.common.security.oauthbearer.ClientJwtValidator</code></li>"
+ +
"<li><code>org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator</code></li>"
+ + "</ul>";
+
+ public static final String SASL_OAUTHBEARER_GRANT_TYPE =
"sasl.oauthbearer.grant.type";
+ public static final String DEFAULT_SASL_OAUTHBEARER_GRANT_TYPE =
"client_credentials";
+ public static final String SASL_OAUTHBEARER_GRANT_TYPE_DOC = "The OAuth
grant type to use when communicating with the identity provider. On the whole,
the"
+ + " OAuth layer does not rely on this value and expects it to be used
and/or verified for correctness by the <code>JwtRetriever</code>
implementation."
+ + " The default value of <code>client_credentials</code> maintains
backward compatibility. The built-in grant types are:"
+ + "<ul>"
+ + "<li><code>client_credentials</code></li>"
+ + "<li><code>urn:ietf:params:oauth:grant-type:jwt-bearer</code></li>"
+ + "</ul>"
+ + "<p>The OAuth code in Apache Kafka does not limit the values that
are used. A user can write a custom <code>JwtRetriever</code> implementation
that uses"
+ + " a completely different grant type, if desired.</p>";
+
+ public static final String SASL_OAUTHBEARER_SCOPE =
"sasl.oauthbearer.scope";
+ public static final String SASL_OAUTHBEARER_SCOPE_DOC = "<p>This is the
level of access a client application is granted to a resource or API which is"
+ + " included in the token request. If provided, it should match one or
more scopes configured in the identity provider.</p>"
+ + "<p>"
+ + "The scope was previously stored as part of the
<code>sasl.jaas.config</code> configuration with the key <code>scope</code>."
+ + " For backward compatibility, the <code>scope</code> JAAS option can
still be used, but it is deprecated and will be removed in a future version."
+ + "</p>"
+ + "<p>Order of precedence:</p>"
+ + "<ul>"
+ + "<li><code>sasl.oauthbearer.scope</code> from configuration</li>"
+ + "<li><code>scope</code> from JAAS</li>"
+ + "</ul>";
+
+ public static final String SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_ID =
"sasl.oauthbearer.client.credentials.client.id";
+ public static final String
SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_ID_DOC = "<p>The ID (defined in/by
the OAuth identity provider) to identify the client" +
+ " requesting the token.</p>"
+ + "<p>"
+ + "The client ID was previously stored as part of the
<code>sasl.jaas.config</code> configuration with the key <code>clientId</code>."
+ + " For backward compatibility, the <code>clientId</code> JAAS option
can still be used, but it is deprecated and will be removed in a future
version."
+ + "</p>"
+ + "<p>Order of precedence:</p>"
+ + "<ul>"
+ + "<li><code>sasl.oauthbearer.client.credentials.client.id</code> from
configuration</li>"
+ + "<li><code>clientId</code> from JAAS</li>"
+ + "</ul>";
+
+ public static final String
SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_SECRET =
"sasl.oauthbearer.client.credentials.client.secret";
+ public static final String
SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_SECRET_DOC = "<p>The secret (defined
by either the user or preassigned, depending on the"
+ + " identity provider) of the client requesting the token.</p>"
+ + "<p>"
+ + "The client secret was previously stored as part of the
<code>sasl.jaas.config</code> configuration with the key
<code>clientSecret</code>."
+ + " For backward compatibility, the <code>clientSecret</code> JAAS
option can still be used, but it is deprecated and will be removed in a future
version."
+ + "</p>"
+ + "<p>Order of precedence:</p>"
+ + "<ul>"
+ + "<li><code>sasl.oauthbearer.client.credentials.client.secret</code>
from configuration</li>"
+ + "<li><code>clientSecret</code> from JAAS</li>"
+ + "</ul>";
+
+ private static final String ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE =
"<p><em>Note</em>: If a value for <code>sasl.oauthbearer.assertion.file</code>
is provided,"
+ + " this configuration will be ignored.</p>";
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_ALGORITHM =
"sasl.oauthbearer.assertion.algorithm";
+ public static final String DEFAULT_SASL_OAUTHBEARER_ASSERTION_ALGORITHM =
"RS256";
+ public static final String SASL_OAUTHBEARER_ASSERTION_ALGORITHM_DOC =
"<p>The algorithm the Apache Kafka client should use to sign the assertion sent"
+ + " to the identity provider. It is also used as the value of the
OAuth <code>alg</code> (Algorithm) header in the JWT assertion.</p>"
+ + ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE;
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_AUD =
"sasl.oauthbearer.assertion.claim.aud";
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_AUD_DOC =
"<p>The JWT <code>aud</code> (Audience) claim which will be included in the "
+ + " client JWT assertion created locally.</p>"
+ + ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE;
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_EXP_SECONDS =
"sasl.oauthbearer.assertion.claim.exp.seconds";
+ public static final int
DEFAULT_SASL_OAUTHBEARER_ASSERTION_CLAIM_EXP_SECONDS = 300;
+ public static final String
SASL_OAUTHBEARER_ASSERTION_CLAIM_EXP_SECONDS_DOC = "<p>The number of seconds
<em>in the future</em> for which the JWT is valid."
+ + " The value is used to determine the JWT <code>exp</code>
(Expiration) claim based on the current system time when the JWT is
created.</p>"
+ + "<p>The formula to generate the <code>exp</code> claim is very
simple:</p>"
+ + "<pre>"
+ + "Let:\n\n"
+ + " x = the current timestamp in seconds, on client\n"
+ + " y = the value of this configuration\n"
+ + "\n"
+ + "Then:\n\n"
+ + " exp = x + y\n"
+ + "</pre>"
+ + ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE;
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_ISS =
"sasl.oauthbearer.assertion.claim.iss";
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_ISS_DOC =
"<p>The value to be used as the <code>iss</code> (Issuer) claim which will be
included in the"
+ + " client JWT assertion created locally.</p>"
+ + ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE;
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_JTI_INCLUDE =
"sasl.oauthbearer.assertion.claim.jti.include";
+ public static final boolean
DEFAULT_SASL_OAUTHBEARER_ASSERTION_CLAIM_JTI_INCLUDE = false;
+ public static final String
SASL_OAUTHBEARER_ASSERTION_CLAIM_JTI_INCLUDE_DOC = "<p>Flag that determines if
the JWT assertion should generate a unique ID for the"
+ + " JWT and include it in the <code>jti</code> (JWT ID) claim.</p>"
+ + ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE;
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_NBF_SECONDS =
"sasl.oauthbearer.assertion.claim.nbf.seconds";
+ public static final int
DEFAULT_SASL_OAUTHBEARER_ASSERTION_CLAIM_NBF_SECONDS = 60;
+ public static final String
SASL_OAUTHBEARER_ASSERTION_CLAIM_NBF_SECONDS_DOC = "<p>The number of seconds
<em>in the past</em> from which the JWT is valid."
+ + " The value is used to determine the JWT <code>nbf</code> (Not
Before) claim based on the current system time when the JWT is created.</p>"
+ + "<p>The formula to generate the <code>nbf</code> claim is very
simple:</p>"
+ + "<pre>"
+ + "Let:\n\n"
+ + " x = the current timestamp in seconds, on client\n"
+ + " y = the value of this configuration\n"
+ + "\n"
+ + "Then:\n\n"
+ + " nbf = x - y\n"
+ + "</pre>"
+ + ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE;
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_SUB =
"sasl.oauthbearer.assertion.claim.sub";
+ public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_SUB_DOC =
"<p>The value to be used as the <code>sub</code> (Subject) claim which will be
included in the"
+ + " client JWT assertion created locally.</p>"
+ + ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE;
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_FILE =
"sasl.oauthbearer.assertion.file";
+ public static final String SASL_OAUTHBEARER_ASSERTION_FILE_DOC = "<p>File
that contains a <em>pre-generated</em> JWT assertion.</p>"
+ + "<p>The underlying implementation caches the file contents to avoid
the performance hit of loading the file on each access. The caching mechanism
will detect when"
+ + "the file changes to allow for the file to be reloaded on
modifications. This allows for "live" assertion rotation without
restarting the Kafka client.</p>"
+ + "<p>The file is the assertion in the serialized, three part JWT
format:</p>"
+ + "<ol>"
+ + "<li>The <em>header</em> section is a base 64-encoded JWT header
that contains values like <code>alg</code> (Algorithm),"
+ + " <code>typ</code> (Type, always the literal value
<code>JWT</code>), etc.</li>"
+ + "<li>The <em>payload</em> section includes the base 64-encoded set
of JWT claims, such as <code>aud</code> (Audience), <code>iss</code> (Issuer),"
+ + " <code>sub</code> (Subject), etc.</li>"
+ + "<li>The <em>signature</em> section is the concatenated
<em>header</em> and <em>payload</em> sections that was signed using a private
key</li>"
+ + "</ol>"
+ + "<p>See <a
href=\"https://datatracker.ietf.org/doc/html/rfc7519\";>RFC 7519</a> and <a
href=\"https://datatracker.ietf.org/doc/html/rfc7515\";>RFC 7515</a>"
+ + " for more details on the JWT and JWS formats.</p>"
+ + "<p><em>Note</em>: If a value for
<code>sasl.oauthbearer.assertion.file</code> is provided, all other"
+ + " <code>sasl.oauthbearer.assertion.</code>* configuration are
ignored.</p>";
+
+ public static final String SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_FILE =
"sasl.oauthbearer.assertion.private.key.file";
+ public static final String SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_FILE_DOC
= "<p>File that contains a private key in the standard PEM format which is
used to"
+ + " sign the JWT assertion sent to the identity provider.</p>"
+ + "<p>The underlying implementation caches the file contents to avoid
the performance hit of loading the file on each access. The caching mechanism
will detect when"
+ + "the file changes to allow for the file to be reloaded on
modifications. This allows for "live" private key rotation without
restarting the Kafka client.</p>"
+ + ASSERTION_FILE_MUTUAL_EXCLUSION_NOTICE;
+
+ public static final String
SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_PASSPHRASE =
"sasl.oauthbearer.assertion.private.key.passphrase";
+ public static final String
SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_PASSPHRASE_DOC = "<p>The optional
passphrase to decrypt the private key file specified by"
+ + " <code>sasl.oauthbearer.assertion.private.key.file</code>.</p>"
+ + "<p><em>Note</em>: If the file referred to by
<code>sasl.oauthbearer.assertion.private.key.file</code> is modified on the
file system at runtime and it was"
+ + "created with a <em>different</em> passphrase than it was
previously, the client will not be able to access the private key file because
the passphrase is now"
Review Comment:
Fixed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
