Re: [PR] KAFKA-16345: Optionally URL-encode clientID and clientSecret in authorization header [kafka]

[via GitHub]

bachmanity1 commented on code in PR #15475:
URL: https://github.com/apache/kafka/pull/15475#discussion_r1664244790


##########
clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetrieverTest.java:
##########
@@ -174,33 +176,39 @@ public void testParseAccessTokenInvalidJson() {
     }
 
     @Test
-    public void testFormatAuthorizationHeader() {
-        assertAuthorizationHeader("id", "secret");
+    public void testFormatAuthorizationHeader() throws 
UnsupportedEncodingException {
+        assertAuthorizationHeader("id", "secret", false);
     }
 
     @Test
-    public void testFormatAuthorizationHeaderEncoding() {
+    public void testFormatAuthorizationHeaderEncoding() throws 
UnsupportedEncodingException {
         // See KAFKA-14496
-        assertAuthorizationHeader("SOME_RANDOM_LONG_USER_01234", 
"9Q|0`8i~ute-n9ksjLWb\\50\"AX@UUED5E");
+        assertAuthorizationHeader("SOME_RANDOM_LONG_USER_01234", 
"9Q|0`8i~ute-n9ksjLWb\\50\"AX@UUED5E", false);
+        // See KAFKA-16345
+        assertAuthorizationHeader("user!@~'", "secret-(*)!", true);
     }
 
-    private void assertAuthorizationHeader(String clientId, String 
clientSecret) {
+    private void assertAuthorizationHeader(String clientId, String 
clientSecret, boolean urlencode) throws UnsupportedEncodingException {

Review Comment:
   I think the intent here is to prevent unintentional modifications to the 
`HttpAccessTokenRetriever.formatAuthorizationHeader()` method that could change 
its resulting value. 
   
   cc. @kirktrue 



##########
clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java:
##########
@@ -192,6 +192,10 @@ public class SaslConfigs {
             + " be inspected for the standard OAuth \"iss\" claim and if this 
value is set, the broker will match it exactly against what is in the JWT's 
\"iss\" claim. If there is no"
             + " match, the broker will reject the JWT and authentication will 
fail.";
 
+    public static final String SASL_OAUTHBEARER_HEADER_URLENCODE = 
"sasl.oauthbearer.header.urlencode";
+    public static final boolean DEFAULT_SASL_OAUTHBEARER_HEADER_URLENCODE = 
false;
+    public static final String SASL_OAUTHBEARER_HEADER_URLENCODE_DOC = "The 
(optional) setting to enable the OAuth client to URL-encode the client_id and 
client_secret in the authorization header"
+            + " in accordance with RFC6749, see 
https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 for more detail. 
The default value is set to 'false' for backward compatibility";

Review Comment:
   done



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org