bachmanity1 commented on code in PR #15475: URL: https://github.com/apache/kafka/pull/15475#discussion_r1664244790
########## clients/src/test/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetrieverTest.java: ########## @@ -174,33 +176,39 @@ public void testParseAccessTokenInvalidJson() { } @Test - public void testFormatAuthorizationHeader() { - assertAuthorizationHeader("id", "secret"); + public void testFormatAuthorizationHeader() throws UnsupportedEncodingException { + assertAuthorizationHeader("id", "secret", false); } @Test - public void testFormatAuthorizationHeaderEncoding() { + public void testFormatAuthorizationHeaderEncoding() throws UnsupportedEncodingException { // See KAFKA-14496 - assertAuthorizationHeader("SOME_RANDOM_LONG_USER_01234", "9Q|0`8i~ute-n9ksjLWb\\50\"AX@UUED5E"); + assertAuthorizationHeader("SOME_RANDOM_LONG_USER_01234", "9Q|0`8i~ute-n9ksjLWb\\50\"AX@UUED5E", false); + // See KAFKA-16345 + assertAuthorizationHeader("user!@~'", "secret-(*)!", true); } - private void assertAuthorizationHeader(String clientId, String clientSecret) { + private void assertAuthorizationHeader(String clientId, String clientSecret, boolean urlencode) throws UnsupportedEncodingException { Review Comment: I think the intent here is to prevent unintentional modifications to the `HttpAccessTokenRetriever.formatAuthorizationHeader()` method that could change its resulting value. cc. @kirktrue ########## clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java: ########## @@ -192,6 +192,10 @@ public class SaslConfigs { + " be inspected for the standard OAuth \"iss\" claim and if this value is set, the broker will match it exactly against what is in the JWT's \"iss\" claim. If there is no" + " match, the broker will reject the JWT and authentication will fail."; + public static final String SASL_OAUTHBEARER_HEADER_URLENCODE = "sasl.oauthbearer.header.urlencode"; + public static final boolean DEFAULT_SASL_OAUTHBEARER_HEADER_URLENCODE = false; + public static final String SASL_OAUTHBEARER_HEADER_URLENCODE_DOC = "The (optional) setting to enable the OAuth client to URL-encode the client_id and client_secret in the authorization header" + + " in accordance with RFC6749, see https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 for more detail. The default value is set to 'false' for backward compatibility"; Review Comment: done -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org