Hi Stanislav. Could you add something to the KIP about the security implications related to the CSV name/value pairs sent in the extension? For example, the OAuth access token may have a digital signature, but the extensions generally will not (unless one of the values is a JWS compact serialization, but I doubt anyone would go that far), so the server generally cannot trust the extensions to be accurate for anything critical. You mentioned the "better tracing and troubleshooting" use case, which I think is fine despite the lack of security; given that lack of security, though, I believe it is important to also state what the extensions should *not* be used for.
Also, could you indicate in the KIP how the extensions might actually be added? My take on that would be to extend OAuthBearerLoginModule to override the initialize() and commit() methods so that the derived class would have access to the Subject instance and could add a map to the subject's public or private credentials when the commit succeeds; then I think the sasl.client.callback.handler.class would have to be explicitly set to a class that extends the default implementation (OAuthBearerSaslClientCallbackHandler) and retrieves the map when handling the SaslExtensionsCallback. But maybe you are thinking about it differently? Some guidance on how to actually take advantage of the feature via an implementation would be a useful addition to the KIP. Finally, I note that the extension parsing does not support a comma in keys or values. This should be addressed somehow -- either by supporting via an escaping mechanism or by explicitly acknowledging that it is unsupported. Thanks for the KIP and the simultaneous PR -- having both at the same time really helped. Ron On Tue, Jul 17, 2018 at 6:22 PM Stanislav Kozlovski <stanis...@confluent.io> wrote: > Hey group, > > I just created a new KIP about adding customizable SASL extensions to the > OAuthBearer authentication mechanism. More details in the proposal > > KIP: > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-342%3A+Add+support+for+Custom+SASL+extensions+in+OAuthBearer+authentication > JIRA: KAFKA-7169 <https://issues.apache.org/jira/browse/KAFKA-7169> > PR: Pull request <https://github.com/apache/kafka/pull/5379> > > -- > Best, > Stanislav >
