[WIP] JWT bearer grant type support

checkstyle/import-control.xml

@@ -143,6 +143,7 @@
         <allow pkg="javax.crypto" />
       </subpackage>
       <subpackage name="oauthbearer">
+        <allow pkg="com.fasterxml.jackson.annotation" />
         <allow pkg="com.fasterxml.jackson.databind" />
         <allow pkg="org.jose4j" />
       </subpackage>

clients/not_allowed.json

@@ -0,0 +1 @@
+9Bd3Qm7Wkm4l8dkZ

clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java

@@ -129,6 +129,58 @@ public class SaslConfigs {
             + " authentication provider."
             + LOGIN_EXPONENTIAL_BACKOFF_NOTE;
 
+
+
+
+
+
+
+    public static final String SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS = "sasl.oauthbearer.jwt.retriever.class";
+    public static final String DEFAULT_SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS = "org.apache.kafka.common.security.oauthbearer.DefaultJwtRetriever";
+    public static final String SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS_DOC = "The fully-qualified class name of a JwtRetriever implementation used to request tokens from the"
+            + " identity provider. The default value represents a class that maintains backward compatibility with previous versions of Apache Kafka. The default"
+            + " implementation uses the configuration to determine which concrete implementation to create.";
+
+    public static final String SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS = "sasl.oauthbearer.jwt.validator.class";
+    public static final String DEFAULT_SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS = "org.apache.kafka.common.security.oauthbearer.DefaultJwtValidator";
+    public static final String SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS_DOC = "The fully-qualified class name of a JwtValidator implementation used to validate the token from the"
+            + " identity provider. The default value represents a class that maintains backward compatibility with previous versions of Apache Kafka. The default"
+            + " implementation uses the configuration to determine which concrete implementation to create.";
+
+    public static final String SASL_OAUTHBEARER_GRANT_TYPE = "sasl.oauthbearer.grant.type";
+    public static final String DEFAULT_SASL_OAUTHBEARER_GRANT_TYPE = "client_credentials";
+    public static final String SASL_OAUTHBEARER_GRANT_TYPE_DOC = "The OAuth grant type to use when communicating with the identity provider. On the whole, the OAuth layer"
+            + " does not rely on this value and expects it to be used and/or verified for correctness by the JwtRetriever implementation. The default value of \"client_credentials\""
+            + " maintains backward compatibility. The built-in grant types are \"client_credentials\" and \"urn:ietf:params:oauth:grant-type:jwt-bearer\"."
+            + " The OAuth code in Kafka does not limit the values that are used. A user can write a custom JwtRetriever implementation that uses a completely different grant"
+            + " type, if desired.";
+
+    public static final String SASL_OAUTHBEARER_SCOPE = "sasl.oauthbearer.scope";
+    public static final String DEFAULT_SASL_OAUTHBEARER_SCOPE = "client_credentials";
+    public static final String SASL_OAUTHBEARER_SCOPE_DOC = "This is the level of access a client application is granted to a resource or API which is included in"
+            + " the token request. If provided, it should match one or more scopes configured in the identity provider. Note: the OAuth scope was previously stored as part"
+            + " of the sasl.jaas.config configuration with the key \"scope\". For backward compatibility, the \"scope\" JAAS option can still be used, but if both are present,"
+            + " this configuration value takes precedence over the value from sasl.jaas.config.";
+
+    public static final String SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_ID = "sasl.oauthbearer.client.credentials.client.id";
+    public static final String SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_SECRET = "sasl.oauthbearer.client.credentials.client.secret";
+    public static final String SASL_OAUTHBEARER_ASSERTION_ALGORITHM = "sasl.oauthbearer.assertion.algorithm";
+    public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_AUD = "sasl.oauthbearer.assertion.claim.aud";
+    public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_EXP_MINUTES = "sasl.oauthbearer.assertion.claim.exp.minutes";
+    public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_ISS = "sasl.oauthbearer.assertion.claim.iss";
+    public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_JTI_INCLUDE = "sasl.oauthbearer.assertion.claim.jti.include";
+    public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_NBF_MINUTES = "sasl.oauthbearer.assertion.claim.nbf.minutes";
+    public static final String SASL_OAUTHBEARER_ASSERTION_CLAIM_SUB = "sasl.oauthbearer.assertion.claim.sub";
+    public static final String SASL_OAUTHBEARER_ASSERTION_FILE = "sasl.oauthbearer.assertion.file";
+    public static final String SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_FILE = "sasl.oauthbearer.assertion.private.key.file";
+    public static final String SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_PASSPHRASE = "sasl.oauthbearer.assertion.private.key.passphrase";
+    public static final String SASL_OAUTHBEARER_ASSERTION_TEMPLATE_FILE = "sasl.oauthbearer.assertion.template.file";
+
+
+
+
+
+
     public static final String SASL_OAUTHBEARER_SCOPE_CLAIM_NAME = "sasl.oauthbearer.scope.claim.name";
     public static final String DEFAULT_SASL_OAUTHBEARER_SCOPE_CLAIM_NAME = "scope";
     public static final String SASL_OAUTHBEARER_SCOPE_CLAIM_NAME_DOC = "The OAuth claim for the scope is often named \"" + DEFAULT_SASL_OAUTHBEARER_SCOPE_CLAIM_NAME + "\", but this (optional)"
@@ -217,6 +269,9 @@ public static void addClientSaslSupport(ConfigDef config) {
                 .define(SaslConfigs.SASL_LOGIN_RETRY_BACKOFF_MS, ConfigDef.Type.LONG, DEFAULT_SASL_LOGIN_RETRY_BACKOFF_MS, ConfigDef.Importance.LOW, SASL_LOGIN_RETRY_BACKOFF_MS_DOC)
                 .define(SaslConfigs.SASL_OAUTHBEARER_SCOPE_CLAIM_NAME, ConfigDef.Type.STRING, DEFAULT_SASL_OAUTHBEARER_SCOPE_CLAIM_NAME, ConfigDef.Importance.LOW, SASL_OAUTHBEARER_SCOPE_CLAIM_NAME_DOC)
                 .define(SaslConfigs.SASL_OAUTHBEARER_SUB_CLAIM_NAME, ConfigDef.Type.STRING, DEFAULT_SASL_OAUTHBEARER_SUB_CLAIM_NAME, ConfigDef.Importance.LOW, SASL_OAUTHBEARER_SUB_CLAIM_NAME_DOC)
+                .define(SaslConfigs.SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS, ConfigDef.Type.CLASS, DEFAULT_SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS, ConfigDef.Importance.MEDIUM, SASL_OAUTHBEARER_JWT_RETRIEVER_CLASS_DOC)
+                .define(SaslConfigs.SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS, ConfigDef.Type.CLASS, DEFAULT_SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS, ConfigDef.Importance.MEDIUM, SASL_OAUTHBEARER_JWT_VALIDATOR_CLASS_DOC)
+                .define(SaslConfigs.SASL_OAUTHBEARER_GRANT_TYPE, ConfigDef.Type.STRING, DEFAULT_SASL_OAUTHBEARER_GRANT_TYPE, ConfigDef.Importance.MEDIUM, SASL_OAUTHBEARER_GRANT_TYPE)
                 .define(SaslConfigs.SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL, ConfigDef.Type.STRING, null, ConfigDef.Importance.MEDIUM, SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL_DOC)
                 .define(SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_URL, ConfigDef.Type.STRING, null, ConfigDef.Importance.MEDIUM, SASL_OAUTHBEARER_JWKS_ENDPOINT_URL_DOC)
                 .define(SaslConfigs.SASL_OAUTHBEARER_JWKS_ENDPOINT_REFRESH_MS, ConfigDef.Type.LONG, DEFAULT_SASL_OAUTHBEARER_JWKS_ENDPOINT_REFRESH_MS, ConfigDef.Importance.LOW, SASL_OAUTHBEARER_JWKS_ENDPOINT_REFRESH_MS_DOC)

clients/src/main/java/org/apache/kafka/common/security/oauthbearer/AssertionCreator.java

@@ -0,0 +1,96 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.kafka.common.security.oauthbearer;
+
+import java.io.Closeable;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+/**
+ * {@code AssertionCreator} is used to create a client-signed OAuth assertion that can be used with different
+ * grant types. See <a href="https://datatracker.ietf.org/doc/html/rfc7521">RFC 7521</a> for specifics.
+ *
+ * <p/>
+ *
+ * The assertion creator has three main steps:
+ *
+ * <ol>
+ *     <li>Create the JWT header</li>
+ *     <li>Create the JWT payload</li>
+ *     <li>Sign</li>
+ * </ol>
+ *
+ * <p/>
+ *
+ * Step 1 is to dynamically create the JWT header. The implementation may add whatever values it needs, but
+ * the {@code alg} (algorithm), {@code kid} (key ID), and {@code type} (type) are usually present. Here is
+ * an example of the JSON version of the JWT header:
+ *
+ * <pre>
+ * {
+ *   "kid": "9d82418e64e0541066637ca8592d459c",
+ *   "alg": RS256,
+ *   "typ": "JWT",
+ * }
+ * </pre>
+ *
+ * <p/>
+ *
+ * Step 2 is to create the JWT payload from the claims provided to {@link #create(AssertionJwtTemplate)}. Depending on the
+ * implementation, other claims may be dynamically generated and added to the JWT payload. Or, some of the
+ * claims in the incoming map could be ignored or modified. Here's an example where the implementation has
+ * added the {@code iat} (initialized at) and {@code exp} (expires) claims:
+ *
+ * <pre>
+ * {
+ *   "iat": 1741121401,
+ *   "exp": 1741125001,
+ *   "sub": "some-service-account",
+ *   "aud": "my_audience",
+ *   "iss": "https://example.com",
+ *   "...": "...",
+ * }
+ * </pre>
+ *
+ * <p/>
+ *
+ * Step 3 is to use the configured private key to sign the header and payload and serialize in the compact
+ * JWT format. The means by which the private key (if any) is made available for use is up to the
+ * implementation. The private key could be loaded from a file, downloaded from a trusted resource,
+ * embedded in the configuration, etc.
+ */
+public interface AssertionCreator extends Closeable {
+
+    /**
+     * Creates and signs an OAuth assertion by converting the given claims into JWT and then signing it using
+     * the configured algorithm.
+     *
+     * <p/>
+     *
+     * @param template {@link AssertionJwtTemplate} with optional header and/or claims to include in the JWT
+     */
+    String create(AssertionJwtTemplate template) throws GeneralSecurityException, IOException;
+
+    /**
+     * Closes any resources used by this implementation. The default implementation of
+     * this method is a no op, for convenience to implementors.
+     */
+    @Override
+    default void close() {
+        // Do nothing...
+    }
+}

clients/src/main/java/org/apache/kafka/common/security/oauthbearer/AssertionJwtTemplate.java

@@ -0,0 +1,72 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.kafka.common.security.oauthbearer;
+
+import java.io.Closeable;
+import java.util.Map;
+
+/**
+ * {@code AssertionJwtTemplate} is used to provide values for use by {@link AssertionCreator}.
+ * The JWT header and/or payload used in the assertion likely requires headers and claims. Not all identity
+ * providers require the same set of headers and claims; some may require a given header or claim while
+ * other identity providers may prohibit it. In order to provide the most flexibility, the header
+ * values and claims that are to be included in the JWT can be added via a template.
+ *
+ * <p/>
+ *
+ * Both the {@link #header()} and {@link #payload()} APIs return a map of Objects. This because the
+ * <a href="https://www.json.org/">JSON specification<a> allow values to be one of the following "types":
+ *
+ * <ul>
+ *   <li>object</li>
+ *   <li>array</li>
+ *   <li>string</li>
+ *   <li>number</li>
+ *   <li><code>true</code></li>
+ *   <li><code>false</code></li>
+ *   <li><code>null</code></li>
+ * </ul>
+ *
+ * However, because the maps must be converted into JSON, it's important that any nested types use standard
+ * Java type equivalents (Map, List, String, Integer, Double, and Boolean) so that the JSON library will
+ * know how to serialize the entire object graph.
+ */
+public interface AssertionJwtTemplate extends Closeable {
+
+    /**
+     * Returns a map containing zero or more header values.
+     *
+     * @return Values to include in the JWT header
+     */
+    Map<String, Object> header();
+
+    /**
+     * Returns a map containing zero or more JWT payload claim values.
+     *
+     * @return Values to include in the JWT payload
+     */
+    Map<String, Object> payload();
+
+    /**
+     * Closes any resources used by this implementation. The default implementation of
+     * this method is a no op, for convenience to implementors.
+     */
+    @Override
+    default void close() {
+        // Do nothing...
+    }
+}