[
https://issues.apache.org/jira/browse/KAFKA-14062?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kirk True updated KAFKA-14062:
------------------------------
Summary: OAuth client token refresh fails with SASL extensions (was: OAuth
token refresh causes client authentication to fail)
> OAuth client token refresh fails with SASL extensions
> -----------------------------------------------------
>
> Key: KAFKA-14062
> URL: https://issues.apache.org/jira/browse/KAFKA-14062
> Project: Kafka
> Issue Type: Bug
> Components: admin, clients, consumer, producer , security
> Affects Versions: 3.1.0, 3.2.0, 3.1.1, 3.3.0, 3.3
> Reporter: Kirk True
> Assignee: Kirk True
> Priority: Major
> Labels: OAuth
> Fix For: 3.1.2, 3.2.1
>
>
> While testing OAuth for Connect an issue surfaced where authentication that
> was successful initially fails during token refresh. This appears to be due
> to missing SASL extensions on refresh, though those extensions were present
> on initial authentication.
> During token refresh, the Kafka client adds and removes any SASL extensions.
> If a refresh is attempted during the window when the extensions are not
> present in the subject, the refresh fails with the following error:
> {code:java}
> [2022-04-11 20:33:43,250] INFO [AdminClient clientId=adminclient-8] Failed
> authentication with <host>/<IP> (Authentication failed: 1 extensions are
> invalid! They are: xxx: Authentication failed)
> (org.apache.kafka.common.network.Selector){code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
