[
https://issues.apache.org/jira/browse/KAFKA-19790?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Keith Wall updated KAFKA-19790:
-------------------------------
Description:
I notice that the code in Kafka for handling of the scopes claim does not
comply with the RFC.
[https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim
|https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim]says:
{quote}The value of the {{scope}} claim is a JSON string containing a
space-separated list of scopes associated with the token, in the format
described in [Section 3.3|https://www.rfc-editor.org/rfc/rfc6749#section-3.3]
of [[RFC6749|https://datatracker.ietf.org/doc/html/rfc6749]]
{quote}
However the code in Kafka that parses the JWT payload does not permit a space
separated list. It would treat a value like "email phone address" as a single
scope "email phone address" rather than a three separate scopes of "email",
"phone", "address".
The affected code is here:
[https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/BrokerJwtValidator.java#L166]
[https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/unsecured/OAuthBearerUnsecuredJws.java#L343]
Impact:
Looking at the production code in Apache Kafka itself, I think the defect
currently harmless. As far as I can tell, there's no production code that
makes use of
org.apache.kafka.common.security.oauthbearer.internals.secured.BasicOAuthBearerToken#scope.
I think there would be a potential for impact for a user writing their own
OAuthBearerValidatorCallbackHandler that uses Kafka's BrokerJwtValidator and
made use of the scope value.
was:
I notice that the code in Kafka for handling of the scopes claim does not
comply with the RFC.
[https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim
|https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim]says:
{quote}The value of the {{scope}} claim is a JSON string containing a
space-separated list of scopes associated with the token, in the format
described in [Section 3.3|https://www.rfc-editor.org/rfc/rfc6749#section-3.3]
of [[RFC6749|https://datatracker.ietf.org/doc/html/rfc6749]]
{quote}
However the code in Kafka that parses the JWT payload does not permit a space
separated list. It would treat a value like "email phone address" as a single
scope "email phone address" rather than a three separate scopes of "email",
"phone", "address".
The affected code is here:
[https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/BrokerJwtValidator.java#L166]
[https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/unsecured/OAuthBearerUnsecuredJws.java#L343]
Impact:
Looking at the production code in Apache Kafka itself, I think the defect
currently harmless. As far as I can tell, there's no production code that
makes use of
org.apache.kafka.common.security.oauthbearer.internals.secured.BasicOAuthBearerToken#scope.
I think there would be a potential for impact for a user writing their own
OAuthBearerValidatorCallbackHandler that uses Kafka's BrokerJwtValidator and
made use of the scope value.
As far as I can tell, the other impact of the defect would come to a user using
their own
> Parsing of the scope claim does not comply with RFC-8693
> --------------------------------------------------------
>
> Key: KAFKA-19790
> URL: https://issues.apache.org/jira/browse/KAFKA-19790
> Project: Kafka
> Issue Type: Bug
> Reporter: Keith Wall
> Priority: Minor
>
> I notice that the code in Kafka for handling of the scopes claim does not
> comply with the RFC.
> [https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim
> |https://datatracker.ietf.org/doc/html/rfc8693#name-scope-scopes-claim]says:
> {quote}The value of the {{scope}} claim is a JSON string containing a
> space-separated list of scopes associated with the token, in the format
> described in [Section 3.3|https://www.rfc-editor.org/rfc/rfc6749#section-3.3]
> of [[RFC6749|https://datatracker.ietf.org/doc/html/rfc6749]]
> {quote}
>
> However the code in Kafka that parses the JWT payload does not permit a space
> separated list. It would treat a value like "email phone address" as a
> single scope "email phone address" rather than a three separate scopes of
> "email", "phone", "address".
> The affected code is here:
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/BrokerJwtValidator.java#L166]
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/unsecured/OAuthBearerUnsecuredJws.java#L343]
> Impact:
> Looking at the production code in Apache Kafka itself, I think the defect
> currently harmless. As far as I can tell, there's no production code that
> makes use of
> org.apache.kafka.common.security.oauthbearer.internals.secured.BasicOAuthBearerToken#scope.
> I think there would be a potential for impact for a user writing their own
> OAuthBearerValidatorCallbackHandler that uses Kafka's BrokerJwtValidator and
> made use of the scope value.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
