[ https://issues.apache.org/jira/browse/KAFKA-13848?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andras Csaki resolved KAFKA-13848. ---------------------------------- Reviewer: Luke Chen Resolution: Fixed Thank you [~showuon] , [~tombentley] and Sam Barker for the review! I'm leaving "fix version" empty for now. > Clients remain connected after SASL re-authentication fails > ----------------------------------------------------------- > > Key: KAFKA-13848 > URL: https://issues.apache.org/jira/browse/KAFKA-13848 > Project: Kafka > Issue Type: Bug > Components: clients > Affects Versions: 3.1.0 > Environment: https://github.com/acsaki/kafka-sasl-reauth > Reporter: Andras Csaki > Assignee: Andras Csaki > Priority: Minor > Labels: Authentication, OAuth2, SASL > > Clients remain connected and able to produce or consume despite an expired > OAUTHBEARER token. > The problem can be reproduced using the > https://github.com/acsaki/kafka-sasl-reauth project by starting the embedded > OAuth2 server and Kafka, then running the long running consumer in > OAuthBearerTest and then killing the OAuth2 server thus making the client > unable to re-authenticate. > Root cause seems to be > SaslServerAuthenticator#calcCompletionTimesAndReturnSessionLifetimeMs failing > to set ReauthInfo#sessionExpirationTimeNanos when tokens have already expired > (when session life time goes negative), in turn causing > KafkaChannel#serverAuthenticationSessionExpired returning false and finally > SocketServer not closing the channel. > The issue is observed with OAUTHBEARER but seems to have a wider impact on > SASL re-authentication. -- This message was sent by Atlassian Jira (v8.20.7#820007)