[jira] [Updated] (KAFKA-20101) Support org.apache.kafka.sasl.oauthbearer.allowed.urls=*

Wed, 11 Feb 2026 17:10:10 -0800 


     [ 
https://issues.apache.org/jira/browse/KAFKA-20101?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kirk True updated KAFKA-20101:
------------------------------
    Component/s: security

> Support org.apache.kafka.sasl.oauthbearer.allowed.urls=*
> --------------------------------------------------------
>
>                 Key: KAFKA-20101
>                 URL: https://issues.apache.org/jira/browse/KAFKA-20101
>             Project: Kafka
>          Issue Type: Improvement
>          Components: clients, security
>    Affects Versions: 4.1.1
>            Reporter: Romain Quinio
>            Priority: Major
>
> With Kafka 4.0.0+ and [https://github.com/apache/kafka/pull/18519,] using 
> {{sasl.mechanism=OAUTHBEARER }}requires to whitelist the value of 
> {{sasl.oauthbearer.token.endpoint.url}} by setting the Java system property 
> {{-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls}} at JVM startup.
> [https://docs.confluent.io/platform/current/security/authentication/sasl/oauthbearer/configure-clients.html]
>  mentions  {{org.apache.kafka.sasl.oauthbearer.allowed.urls=*}}
> {code:java}
> This property specifies a comma-separated list of allowed IdP JWKS (JSON Web 
> Key Set) and token endpoint URLs. Use * (asterisk) as the value to allow any 
> endpoint.
> org.apache.kafka.sasl.oauthbearer.allowed.urls=*
> You should consult the specific Kafka client and IdP documentation for the 
> exact interpretation and security implications of such a broad setting. {code}
> {{{}{}}}But this configuration doesn't appear to work with kafka-client / 
> kafka-streams 4.1.1.
> Debugging the code, the logic is to do an exact match between both strings 
> (https://github.com/apache/kafka/blame/74ebbae8ece464573c1288e8f233ef804074fe7b/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/ConfigurationUtils.java#L407).
> It would help to have such mechanism, to avoid duplicating the endpoint URL 
> as a system property, which is error-prone. In container-based environments, 
> the Kafka client configuration is immutable, and the assumptions of  
> CVE-2025-27817 that "Kafka Clients configurations can be specified by an 
> untrusted party" are not applicable.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to