Skip to content

KAFKA-18847: Refactor OAuth layer to improve reusability 1/N #19622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 21 commits into
base: trunk
Choose a base branch
from
Open

KAFKA-18847: Refactor OAuth layer to improve reusability 1/N #19622

wants to merge 21 commits into from
+579 −473

Conversation

kirktrue
Copy link
Contributor

@kirktrue kirktrue commented May 2, 2025
edited by github-actions bot
Loading

Rename AccessTokenRetriever and AccessTokenValidator to
JwtRetriever and JwtValidator, respectively. Also converting the
factory pattern classes AccessTokenRetrieverFactory and
AccessTokenValidatorFactory into delegate/wrapper classes
DefaultJwtRetriever and DefaultJwtValidator, respectively.

These are all internal changes, no configuration, user APIs, RPCs, etc.
were changed.

@kirktrue
KAFKA-18847: Refactor OAuth layer to improve reusability 1/N
667bb22 
Rename AccessTokenRetriever and AccessTokenValidator to JwtRetriever and JwtValidator, respectively. Also converting the factory pattern classes AccessTokenRetrieverFactory and AccessTokenValidatorFactory into delegate/wrapper classes DefaultJwtRetriever and DefaultJwtValidator, respectively.

These are all internal changes, no configuration, user APIs, RPCs, etc. were changed.
@github-actions github-actions bot added triage PRs from the community tools clients labels May 2, 2025
lianetm
lianetm reviewed May 6, 2025
View reviewed changes
Copy link
Member

@lianetm lianetm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @kirktrue ! No major concerns, some comments for consideration

kirktrue added 11 commits May 6, 2025 15:40
@kirktrue
Changed wording in Initable's init() Javadoc
c45219b
@kirktrue
Removed ambiguity in OAuthBearerValidatorCallbackHandler's log messages
3d1a2ba
@kirktrue
Removed superfluous no-op init() overrides
5cb1de3
@kirktrue
Fixed inconsistent Javadoc formatting in ClientJwtValidator
84e2129
@kirktrue
Created a default, no-op close() implementation and removed the no-op…
35d3454 
… close() methods from BrokerJwtValidator and ClientJwtValidator
@kirktrue
Updated validateUrlencodeHeader to use ConfigurationUtils’ get() meth…
f298a16 
…od instead of the clumsier validateBoolean() method
@kirktrue
Added clarifying Javadoc for DefaultJwtValidator
e5e97c8
@kirktrue
Fixed a missing phrase in the FileJwtRetriever documentation.
08ec47d
@kirktrue
HttpJwtRetriever Javadoc cleanup
bddc0e2
@kirktrue
Moved tests from JwtValidatorFactoryTest to OAuthBearerValidatorCallb…
4c48438 
…ackHandlerTest
@kirktrue
Fixed import linting issues
9882fbe
@kirktrue
Copy link
Contributor Author

kirktrue commented May 6, 2025

Thanks for the review, @lianetm! I've fixed the issues you've mentioned and tested locally, but I'll watch the result of the CI job. Thanks!

@github-actions github-actions bot removed the triage PRs from the community label May 7, 2025
m1a2st
m1a2st reviewed May 7, 2025
View reviewed changes
Copy link
Collaborator

@m1a2st m1a2st left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @kirktrue for this patch, a little comments

...java/org/apache/kafka/common/security/oauthbearer/internals/secured/DefaultJwtValidator.java Outdated
Comment on lines 72 to 75
List<String> l = cu.get(SASL_OAUTHBEARER_EXPECTED_AUDIENCE);

if (l != null)
expectedAudiences = Set.copyOf(l);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps we could update the variable name l to something more descriptive for better readability.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

😆 Yes, I'll update it. Thanks!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated. Thanks!

kirktrue and others added 4 commits May 7, 2025 11:05
@kirktrue @m1a2st
Update clients/src/main/java/org/apache/kafka/common/security/oauthbe…
395d779 
…arer/internals/secured/VerificationKeyResolverFactory.java

Co-authored-by: Ken Huang <s7133700@gmail.com>
@kirktrue @m1a2st
Update clients/src/test/java/org/apache/kafka/common/security/oauthbe…
dbb4ac9 
…arer/OAuthBearerValidatorCallbackHandlerTest.java

Co-authored-by: Ken Huang <s7133700@gmail.com>
@kirktrue
Update OAuthBearerValidatorCallbackHandlerTest.java
54e6f69 
Fixed missing import from hastily taking GitHub PR suggestion
@kirktrue
Clean up awkward code for expected audience configuration in DefaultJ…
e95660e 
…wtValidator.init()
lianetm
lianetm reviewed May 7, 2025
View reviewed changes
Copy link
Member

@lianetm lianetm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the updates @kirktrue ! One important bit I just noticed, lmk

.../main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandler.java Outdated
public void init(AccessTokenRetriever accessTokenRetriever, AccessTokenValidator accessTokenValidator) {
this.accessTokenRetriever = accessTokenRetriever;
this.accessTokenValidator = accessTokenValidator;
public void init(JwtRetriever jwtRetriever, JwtValidator jwtValidator) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

uhm the OAuthBearerLoginCallbackHandler class is part of the public API, so changing params in this public method would be a breaking change not accounted for in the KIP, right?

It's a tricky situation because the class of the params is not public API (AccessTokenRetriever).
This init is only used internally, and I expect is not intended to be called directly ever (only indirectly from the public API configure). So I would say that having this init public is what's wrong in the first place?

Anyways, fact is that it is public API at the moment (https://kafka.apache.org/40/javadoc/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandler.html), so we need to amend the KIP I would expect, to remove this init overload from the public API (move to package-private). Since it's based on non-public param types it's probably safe to assume no one should be really using it (but not sure if I'm missing something here). Thoughts?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So I would say that having this init public is what's wrong in the first place?

This method is only public by virtue of the awkwardness of the unit tests. I'd prefer to make the init() method package protected, or just remove it altogether. The existence of init() was not mentioned in the previous KIP (KIP-768), so my thought is that it can be changed without updating the KIP.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When we originally added these classes, the methods were package-protected for testing purposes:
Initial PR

Later, when the packages were reorganized, the methods were made public:
Follow-up PR

I agree that since these methods are only used in tests and invoked exclusively for testing, it’s reasonable to update or delete them.

omkreddy
omkreddy reviewed May 8, 2025
View reviewed changes
...java/org/apache/kafka/common/security/oauthbearer/internals/secured/DefaultJwtRetriever.java
@@ -36,32 +39,27 @@
import static org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.CLIENT_SECRET_CONFIG;
import static org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.SCOPE_CONFIG;

public class AccessTokenRetrieverFactory {
public class DefaultJwtRetriever implements JwtRetriever {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add Javadoc?

.../main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandler.java Outdated
@@ -177,57 +178,41 @@ public class OAuthBearerLoginCallbackHandler implements AuthenticateCallbackHand

private static final String EXTENSION_PREFIX = "extension_";

private Map<String, Object> moduleOptions;
protected Map<String, Object> moduleOptions;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we avoid protected in these public classes. maybe we can add package-private getters/etc.. for testing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@omkreddy omkreddy omkreddy left review comments

@lianetm lianetm lianetm left review comments

@m1a2st m1a2st m1a2st left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
ci-approved clients tools
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kirktrue @omkreddy @lianetm @m1a2st