We have implemented our own LoginModule and Authorizer. The LoginModule does an authentication on the client side, obtains a token and passes that token down to our custom SaslServer which then verifies that this token is valid. Our Authorizer gets that token and asks another custom service if the necessary topic permissions are there. This is a very simplified description, but it should suffice for my question.
I've found that the LoginModule only authenticates once and passes that token down once as well. Our service requires a heartbeat to keep the token alive. I would like the SaslService to call our authentication service every once in.a while and if the token ever times out (it times out after 24 hours; even with heartbeats, but heartbeats every so many minutes can extend the session to 24 hours), then I'd like it to respond back to the LoginModule with some sort of failed to authorize message or code. Once this gets passed to the Authorizer, we can extend the session by querying our internal Authentication/Authorization service. I was hoping, as.a fallback plan that the Authorizer could do this, by simply throwing an exception or failing the request when the authorization finally returns false (due to session timeout), but I don't see anywhere in the documentation where a certain kind of failure in the authorizer can bubble up to the authenticator and I don't see how I can configure the loginmodule to periodically redo authentication. Can anyone out there help me? Is the Kafka SASL implementation not meant for such a complicated scenario or am I just thinking about it all wrong? Thanks, Christian
