Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-13703

OAUTHBEARER client will not use defined truststore

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 3.1.0
    • None
    • clients

    Description

      I am developing a Kafka client that uses OAUTHBEARER and SSL to connect. I'm attempting to test against a server using a key from a custom CA. I added the trust-chain for the server to a Truststore JKS file, and referenced it in the configuration. However, I continually get PKIX errors. After some code tracing, I believe the OAUTHBEARER client code ignores defined truststores.

      Here is an example based on my configuration:

      application.id=my-kafka-client
client.id=my-kafka-client
group.id=my-kafka-client

# OAuth/SSL listener
bootstrap.servers=<MY_SERVER>:9096
security.protocol=SASL_SSL

# OAuth Configuration
sasl.mechanism=OAUTHBEARER
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
sasl.login.connect.timeout.ms=15000
sasl.oauthbearer.token.endpoint.url=https://<MY_SERVER>/auth/realms/<MY_REALM>/protocol/openid-connect/token
ssl.truststore.location=<MY_PATH>\kafka.truststore.jks
#ssl.truststore.password=changeit

sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
clientId="my-kafka-client" \
clientSecret="my-kafka-client-secret";

      Note - my Truststore does not have password (I tried setting it to see if that would solve the problem initially).

      I'm using the following example test code:

      package example;

import java.io.IOException;
import java.net.URISyntaxException;
import java.util.Properties;
import org.apache.kafka.clients.consumer.ConsumerConfig;
import org.apache.kafka.clients.consumer.KafkaConsumer;
import org.apache.kafka.clients.producer.ProducerConfig;
import org.apache.kafka.common.serialization.StringDeserializer;
import org.apache.kafka.common.serialization.StringSerializer;

public class Main {

   public static void main(final String[] args) throws IOException, URISyntaxException {
      Properties config = new Properties();
      config.load(Main.class.getClassLoader().getResourceAsStream("client.conf"));

      config.put(ProducerConfig.KEY_SERIALIZER_CLASS_CONFIG, StringSerializer.class);
      config.put(ProducerConfig.VALUE_SERIALIZER_CLASS_CONFIG, StringSerializer.class);
      config.put(ConsumerConfig.KEY_DESERIALIZER_CLASS_CONFIG, StringDeserializer.class);
      config.put(ConsumerConfig.VALUE_DESERIALIZER_CLASS_CONFIG, StringDeserializer.class);
      
      final KafkaConsumer<String, String> consumer = new KafkaConsumer<>(config);
   }
}

      The issue seems to be in the org.apache.kafka.common.security.oauthbearer.secured package - in particular the AccessTokenRetrieverFactory.create() method, as it creates an sslContext but does not include the configured truststore from the Kafka configuration.

      As such, it appears that unless you alter the JVM-default truststore, you cannot connect to a server running a custom trust-chain.

      Attachments

        Activity

          People

            Unassigned Unassigned
            adam@adam-long.net Adam Long
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: