Kirk True created KAFKA-14062:
---------------------------------
Summary: OAuth token refresh causes client authentication to fail
Key: KAFKA-14062
URL: https://issues.apache.org/jira/browse/KAFKA-14062
Project: Kafka
Issue Type: Bug
Components: admin, clients, consumer, producer , security
Affects Versions: 3.1.1, 3.2.0, 3.1.0, 3.3.0, 3.3
Reporter: Kirk True
Assignee: Kirk True
Fix For: 3.1.2, 3.2.1
While testing OAuth for Connect an issue surfaced where authentication that was
successful initially fails during token refresh. This appears to be due to
missing SASL extensions on refresh, though those extensions were present on
initial authentication.
During token refresh, the Kafka client adds and removes any SASL extensions. If
a refresh is attempted during the window when the extensions are not present in
the subject, the refresh fails with the following error:
{code:java}
[2022-04-11 20:33:43,250] INFO [AdminClient clientId=adminclient-8] Failed
authentication with <host>/<IP> (Authentication failed: 1 extensions are
invalid! They are: xxx: Authentication failed)
(org.apache.kafka.common.network.Selector){code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)