Re: [jira] [Created] (KAFKA-20184) jose4j marked as compileOnly in clients module causes ClassNotFoundException at runtime for OAuth authentication

Thu, 19 Feb 2026 06:37:42 -0800 

I am also curious to understand why this worked with no issues on kafka
client 3.9.0 and 3.9.1 but needed jose4j to be included only for
kafka 4.1.1 client.

The source code seems to be the same and even the above compileOnly
statement seems to be there in kafka client 3.9.0 also.

On Thu, Feb 19, 2026 at 6:33 PM Subra I <[email protected]> wrote:

> I see this issue too when I run OAuth2 on kafka client 4.1.1. I
> packaged jose4j and then it worked.
>
> Interestingly, when I use kafka client 3.9.1 or kafka client 3.9.0, I do
> not see this exception at all. Works perfectly fine even if I do not
> package jose4j jar file.
>
> On Fri, Feb 13, 2026 at 5:27 PM Christian Semaan (Jira) <[email protected]>
> wrote:
>
>> Christian Semaan created KAFKA-20184:
>> ----------------------------------------
>>
>>              Summary: jose4j marked as compileOnly in clients module
>> causes ClassNotFoundException at runtime for OAuth authentication
>>                  Key: KAFKA-20184
>>                  URL: https://issues.apache.org/jira/browse/KAFKA-20184
>>              Project: Kafka
>>           Issue Type: Bug
>>           Components: clients
>>     Affects Versions: 3.1.0
>>             Reporter: Christian Semaan
>>
>>
>> The `jose4j` library is currently marked as `compileOnly` in the
>> `:clients` module dependency configuration
>> https://github.com/apache/kafka/blob/4.1/build.gradle#L1819, with a
>> comment stating "only used by broker". However, this is incorrect and
>> causes runtime issues.
>>
>> OAuth implementation classes are in the clients module, not just broker:
>> *
>> org.apache.kafka.common.security.oauthbearer.internals.secured.CloseableVerificationKeyResolver
>> (interface extending jose4j's VerificationKeyResolver)
>>  *
>> org.apache.kafka.common.security.oauthbearer.internals.secured.JwksFileVerificationKeyResolver
>>  *
>> org.apache.kafka.common.security.oauthbearer.internals.secured.RefreshingHttpsJwksVerificationKeyResolver
>>
>> Impact:
>> Runtime Failure: When Kafka clients are used with SASL/OAUTHBEARER
>> authentication, the application will encounter `ClassNotFoundException` or
>> `NoClassDefFoundError` for jose4j classes at runtime unless users manually
>> add jose4j as a dependency to their applications.
>>
>>
>>
>>
>> --
>> This message was sent by Atlassian Jira
>> (v8.20.10#820010)
>>
>

Reply via email to