[jira] [Created] (KAFKA-17089) Incorrect JWT parsing in OAuthBearerUnsecuredJws

Jira Fri, 05 Jul 2024 06:27:08 -0700

Björn Löfroth created KAFKA-17089:
-------------------------------------

             Summary: Incorrect JWT parsing in OAuthBearerUnsecuredJws
                 Key: KAFKA-17089
                 URL: https://issues.apache.org/jira/browse/KAFKA-17089
             Project: Kafka
          Issue Type: Bug
          Components: clients
    Affects Versions: 3.6.2
            Reporter: Björn Löfroth



The documentation for the `OAuthBearerUnsecuredJws.toMap` function correctly 
describes that the input is Base64URL, but then goes ahead and does a simple 
base64 decode.


[https://github.com/apache/kafka/blob/9a7eee60727dc73f09075e971ea35909d2245f19/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/unsecured/OAuthBearerUnsecuredJws.java#L295]

 

It should probably be 
```

{color:#c678dd}byte{color}{color:#abb2bf}[{color}{color:#abb2bf}]{color} decode 
{color:#61afef}={color} 
{color:#d19a66}Base64{color}{color:#abb2bf}.{color}{color:#61afef}getUrlDecoder{color}{color:#abb2bf}({color}{color:#abb2bf}){color}{color:#abb2bf}.{color}{color:#61afef}decode{color}{color:#abb2bf}({color}split{color:#abb2bf}){color}{color:#abb2bf};{color}
```

The error I get when using Confluent Schema Registry clients:
```

org.apache.kafka.common.errors.SerializationException: Error serializing JSON 
message

        at 
io.confluent.kafka.serializers.json.AbstractKafkaJsonSchemaSerializer.serializeImpl(AbstractKafkaJsonSchemaSerializer.java:171)

        at 
io.confluent.kafka.serializers.json.KafkaJsonSchemaSerializer.serialize(KafkaJsonSchemaSerializer.java:95)

        at 
org.apache.kafka.clients.producer.KafkaProducer.doSend(KafkaProducer.java:1000)

        at 
org.apache.kafka.clients.producer.KafkaProducer.send(KafkaProducer.java:947)

        at 
org.apache.kafka.clients.producer.KafkaProducer.send(KafkaProducer.java:832)

        at 
se.ica.icc.schemaregistry.example.confluent.ProducerJsonExample.main(ProducerJsonExample.java:87)

        at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at 
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)

        at 
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.base/java.lang.reflect.Method.invoke(Method.java:568)

        at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:282)

        at java.base/java.lang.Thread.run(Thread.java:833)

Caused by: 
io.confluent.kafka.schemaregistry.client.security.bearerauth.oauth.exceptions.SchemaRegistryOauthTokenRetrieverException:
 Error while fetching Oauth Token for Schema Registry: OAuth Token for Schema 
Registry is Invalid

        at 
io.confluent.kafka.schemaregistry.client.security.bearerauth.oauth.CachedOauthTokenRetriever.getToken(CachedOauthTokenRetriever.java:74)

        at 
io.confluent.kafka.schemaregistry.client.security.bearerauth.oauth.OauthCredentialProvider.getBearerToken(OauthCredentialProvider.java:53)

        at 
io.confluent.kafka.schemaregistry.client.rest.RestService.setAuthRequestHeaders(RestService.java:1336)

        at 
io.confluent.kafka.schemaregistry.client.rest.RestService.buildConnection(RestService.java:361)

        at 
io.confluent.kafka.schemaregistry.client.rest.RestService.sendHttpRequest(RestService.java:300)

        at 
io.confluent.kafka.schemaregistry.client.rest.RestService.httpRequest(RestService.java:409)

        at 
io.confluent.kafka.schemaregistry.client.rest.RestService.getLatestVersion(RestService.java:981)

        at 
io.confluent.kafka.schemaregistry.client.rest.RestService.getLatestVersion(RestService.java:972)

        at 
io.confluent.kafka.schemaregistry.client.CachedSchemaRegistryClient.getLatestSchemaMetadata(CachedSchemaRegistryClient.java:574)

        at 
io.confluent.kafka.serializers.AbstractKafkaSchemaSerDe.lookupLatestVersion(AbstractKafkaSchemaSerDe.java:571)

        at 
io.confluent.kafka.serializers.AbstractKafkaSchemaSerDe.lookupLatestVersion(AbstractKafkaSchemaSerDe.java:554)

        at 
io.confluent.kafka.serializers.json.AbstractKafkaJsonSchemaSerializer.serializeImpl(AbstractKafkaJsonSchemaSerializer.java:151)

        ... 11 more

Caused by: 
org.apache.kafka.common.security.oauthbearer.internals.secured.ValidateException:
 Could not validate the access token: malformed Base64 URL encoded value

        at 
org.apache.kafka.common.security.oauthbearer.internals.secured.LoginAccessTokenValidator.validate(LoginAccessTokenValidator.java:93)

        at 
io.confluent.kafka.schemaregistry.client.security.bearerauth.oauth.CachedOauthTokenRetriever.getToken(CachedOauthTokenRetriever.java:72)

        ... 22 more

Caused by: 
org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerIllegalTokenException:
 malformed Base64 URL encoded value

        at 
org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredJws.toMap(OAuthBearerUnsecuredJws.java:310)

        at 
org.apache.kafka.common.security.oauthbearer.internals.secured.LoginAccessTokenValidator.validate(LoginAccessTokenValidator.java:91)

        ... 23 more


```

The JWT is otherwise valid when i view it in jwt.io. 

 

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (KAFKA-17089) Incorrect JWT parsing in OAuthBearerUnsecuredJws

Reply via email to