-
Bug
-
Resolution: Done
-
Major
-
1.4.0.GA, 1.4.1.GA
-
None
-
None
-
False
-
False
-
-
Undefined
-
-
- "Username claim extraction not supported by validator: class io.strimzi.kafka.oauth.validator.OAuthIntrospectionValidator" error[1][2] occurs when to use "usernameClaim" with "introspection endpoint" at Red Hat AMQ Streams 1.4.
- The "usernameClaim" feature with "introspection endpoint" was not implemented at Red Hat AMQ Streams 1.4 (strimzi-kafka-oauth 0.3). This feature is available at AMQ Streams 1.5 (strimzi-kafka-oauth 0.5)[3].
- However, we are using it in our AMQ Streams 1.4 documentation[4]. The user who is following the procedure is getting an error. Please fix the documentation at AMQ Streams 1.4.
[1] kafka Broker error log
my-cluster-kafka-0 kafka 2020-10-15 02:35:34,299 WARN [SocketServer brokerId=0] Unexpected error from /10.116.1.50; closing connection (org.apache.kafka.common.network.Selector) [data-plane-kafka-network-thread-0-ListenerName(EXTERNAL-9094)-SASL_PLAINTEXT-11] my-cluster-kafka-0 kafka java.lang.IllegalStateException: Username claim extraction not supported by validator: class io.strimzi.kafka.oauth.validator.OAuthIntrospectionValidator my-cluster-kafka-0 kafka at io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler$1.principalName(JaasServerOauthValidatorCallbackHandler.java:194) my-cluster-kafka-0 kafka at org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServer.process(OAuthBearerSaslServer.java:181) my-cluster-kafka-0 kafka at org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServer.evaluateResponse(OAuthBearerSaslServer.java:101) my-cluster-kafka-0 kafka at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.handleSaslToken(SaslServerAuthenticator.java:451) my-cluster-kafka-0 kafka at org.apache.kafka.common.security.authenticator.SaslServerAuthenticator.authenticate(SaslServerAuthenticator.java:291) my-cluster-kafka-0 kafka at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:173) my-cluster-kafka-0 kafka at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547) my-cluster-kafka-0 kafka at org.apache.kafka.common.network.Selector.poll(Selector.java:483) my-cluster-kafka-0 kafka at kafka.network.Processor.poll(SocketServer.scala:890) my-cluster-kafka-0 kafka at kafka.network.Processor.run(SocketServer.scala:789) my-cluster-kafka-0 kafka at java.lang.Thread.run(Thread.java:748)
[2] kafka producer error log
[2020-10-15 02:35:31,143] WARN [Producer clientId=console-producer] Connection to node -1 (my-cluster-kafka-external-bootstrap/172.25.1.6:9094) terminated during authentication. This may happen due to any of the following reasons: (1) Authentication failed due to invalid credentials with brokers older than 1.0.0, (2) Firewall blocking Kafka TLS traffic (eg it may only allow HTTPS traffic), (3) Transient network issue. (org.apache.kafka.clients.NetworkClient)
[3] Better support for different authorization servers (#51)
https://github.com/strimzi/strimzi-kafka-oauth/commit/f9e50c4907c4f70f32e5d48c4c85969a9101b9b3
# Example configuration for an introspection endpoint apiVersion: kafka.strimzi.io/v1beta1 kind: Kafka spec: kafka: listeners: tls: authentication: type: oauth clientId: kafka-broker clientSecret: secretName: my-cluster-oauth key: clientSecret validIssuerUri: <https://<auth-server-address>/auth/realms/tls> introspectionEndpointUri: <https://<auth-server-address>/auth/realms/tls/protocol/openid-connect/token/introspect> userNameClaim: preferred_username # HERE tlsTrustedCertificates: - secretName: oauth-server-cert certificate: ca.crt
- relates to
-
ENTMQST-2341 [Doc RHEL] "oauth.username.claim" with "introspection endpoint" is available from AMQ Streams 1.5
-
- Closed
-