Kafka-client 2.5.0 connection to Azure Event Hub authentication failure

[Schwilk David (IOC/PAP-TH)]

Hello,

When trying to connect our Kafka client to an Azure Event Hub via SASL_SSL we 
encounter an error in the authentication process.

IllegalSaslStateException: Invalid SASL mechanism response, server may be 
expecting a different protocol at 2020-08-07T05:03:16.072637487Z,
trace: org.apache.kafka.common.errors.IllegalSaslStateException: Invalid SASL 
mechanism response, server may be expecting a different protocol Caused by:
org.apache.kafka.common.protocol.types.SchemaException: Error reading field 
auth_bytes: Bytes size -1 cannot be negative at
org.apache.kafka.common.protocol.types.Schema.read(Schema.java:110) at
org.apache.kafka.common.protocol.ApiKeys.parseResponse(ApiKeys.java:313) at
org.apache.kafka.clients.NetworkClient.parseStructMaybeUpdateThrottleTimeMetrics(NetworkClient.java:725)
 at
org.apache.kafka.clients.NetworkClient.parseResponse(NetworkClient.java:712) at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.receiveKafkaResponse(SaslClientAuthenticator.java:523)
 at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.receiveToken(SaslClientAuthenticator.java:457)
 at
org.apache.kafka.common.security.authenticator.SaslClientAuthenticator.authenticate(SaslClientAuthenticator.java:266)
 at
org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:177) at
org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:547) at
org.apache.kafka.common.network.Selector.poll(Selector.java:485) at
org.apache.kafka.clients.NetworkClient.poll(NetworkClient.java:549) at
org.apache.kafka.clients.producer.internals.Sender.runOnce(Sender.java:324) at
org.apache.kafka.clients.producer.internals.Sender.run(Sender.java:239) at
java.base/java.lang.Thread.run(Thread.java:836)

It seems like auth_bytes is incorrect in the token response from Event Hub.
Previously when using the client 2.1.1 the connections were working.
The sasl configuration with which we’re connecting seems correct to me and was 
working on the 2.1.1 client as well:

bootstrap.servers=XXX.servicebus.windows.net:9093
security.protocol=SASL_SSL
sasl.mechanism=PLAIN
sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule 
required username="$ConnectionString" 
password="Endpoint=sb://XXXX.servicebus.windows.net/;SharedAccessKeyName=RootManageSharedAccessKey;SharedAccessKey=**************************";

Were there some changes since 2.1.1, which could cause something like that?/ Is 
this error known to you?

Best regards
David Schwilk

Bosch IoT Things- Product Area IoT Platform (IOC/PAP-TH)
Bosch.IO GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch.io
david.schw...@bosch-si.com<mailto:david.schw...@bosch-si.com>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. 
Stefan Ferber, Dr. Aleksandar Mitrovic, Yvonne Reckling

​