KAFKA-18608: Add Support for OAuth Client Assertion to client_credentials Grant Type (#21483)

## What

Implements

[KIP-1258](https://cwiki.apache.org/confluence/display/KAFKA/KIP-1258%3A+Add+Support+for+OAuth+Client+Assertion+to+client_credentials+Grant+Type):
Add support for OAuth 2.0 client assertion authentication (RFC 7523§2.2)
as a more secure alternative to client secrets.

## Key Changes

### Core Implementation
- **New**: `ClientAssertionRequestFormatter` - Formats HTTP requests
with client assertion parameters
- **Enhanced**: `ClientCredentialsRequestFormatterFactory` - Three-tier
fallback mechanism with logging
- **Renamed**: `ClientCredentialsRequestFormatter`
→`ClientSecretRequestFormatter` (internal class)

### Three-Tier Fallback
1. File-based assertion (`sasl.oauthbearer.assertion.file`)
2. Dynamically-generated assertion
(`sasl.oauthbearer.assertion.claim.iss` + private key)
3. Client secret (backward compatible fallback)

### Infrastructure
- Reuses KIP-1139 assertion creation/signing/caching
- No new configuration properties required
- Supports RS256 and ES256 algorithms
- Automatic private key file reloading

## Testing
- ✅ RFC 7523 compliance verified
- ✅ Backward compatibility validated

## Compatibility
- ✅ 100% backward compatible
- ✅ No public API changes
- ✅ No broker changes required
- ✅ Client-side only implementation

## Configuration Example

```properties
# Client Assertion (Recommended)
sasl.oauthbearer.token.endpoint.url=https://idp.com/oauth/token
sasl.oauthbearer.assertion.private.key.file=/path/to/key.pem
sasl.oauthbearer.assertion.algorithm=RS256
sasl.oauthbearer.assertion.claim.iss=kafka-client
sasl.oauthbearer.assertion.claim.sub=service-account
sasl.oauthbearer.assertion.claim.aud=https://idp.com

# Client Secret (Still Works)
sasl.oauthbearer.client.credentials.client.id=my-client
sasl.oauthbearer.client.credentials.client.secret=my-secret
```

## References
- **JIRA**:
[KAFKA-18608](https://issues.apache.org/jira/browse/KAFKA-18608)
- **KIP**:
[KIP-1258](https://cwiki.apache.org/confluence/display/KAFKA/KIP-1258)
- **RFC 7521**: [Assertion Framework for
OAuth2.0](https://datatracker.ietf.org/doc/html/rfc7521)
- **RFC 7523**: [JWT Profile for OAuth 2.0 Client
Authentication](https://datatracker.ietf.org/doc/html/rfc7523)
- **Related**: [KIP-1139 (jwt-bearer
grant)](https://cwiki.apache.org/confluence/display/KAFKA/KIP-1139)

Reviewers: Manikumar Reddy <manikumar.reddy@gmail.com>, Kirk True <kirk@kirktrue.pro>

Author: prabhashkr

build.gradle

@@ -1900,6 +1900,8 @@ project(':clients') {
     testImplementation libs.mockitoCore
     testImplementation libs.mockitoJunitJupiter // supports MockitoExtension
     testImplementation testLog4j2Libs
+    testImplementation libs.testcontainersKeycloak
+    testImplementation libs.testcontainersJunitJupiter
 
     testCompileOnly libs.bndlib
 

checkstyle/import-control.xml

@@ -137,6 +137,9 @@
         <allow pkg="com.fasterxml.jackson.databind" />
         <allow pkg="org.jose4j" />
         <allow pkg="javax.crypto"/>
+        <allow pkg="org.testcontainers" />
+        <allow pkg="org.keycloak" />
+        <allow pkg="dasniko.testcontainers" />
       </subpackage>
     </subpackage>
 

clients/src/main/java/org/apache/kafka/common/security/oauthbearer/ClientCredentialsJwtRetriever.java

@@ -17,13 +17,12 @@
 
 package org.apache.kafka.common.security.oauthbearer;
 
-import org.apache.kafka.common.config.ConfigException;
-import org.apache.kafka.common.config.SaslConfigs;
-import org.apache.kafka.common.security.oauthbearer.internals.secured.ClientCredentialsRequestFormatter;
+import org.apache.kafka.common.security.oauthbearer.internals.secured.ClientCredentialsRequestFormatterFactory;
 import org.apache.kafka.common.security.oauthbearer.internals.secured.ConfigurationUtils;
 import org.apache.kafka.common.security.oauthbearer.internals.secured.HttpJwtRetriever;
 import org.apache.kafka.common.security.oauthbearer.internals.secured.HttpRequestFormatter;
 import org.apache.kafka.common.security.oauthbearer.internals.secured.JaasOptionsUtils;
+import org.apache.kafka.common.utils.Time;
 import org.apache.kafka.common.utils.Utils;
 
 import org.slf4j.Logger;
@@ -32,21 +31,9 @@
 import java.io.IOException;
 import java.util.List;
 import java.util.Map;
-import java.util.Objects;
-import java.util.function.Function;
 
 import javax.security.auth.login.AppConfigurationEntry;
 
-import static org.apache.kafka.common.config.SaslConfigs.DEFAULT_SASL_OAUTHBEARER_HEADER_URLENCODE;
-import static org.apache.kafka.common.config.SaslConfigs.SASL_JAAS_CONFIG;
-import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_ID;
-import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_SECRET;
-import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_HEADER_URLENCODE;
-import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_SCOPE;
-import static org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.CLIENT_ID_CONFIG;
-import static org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.CLIENT_SECRET_CONFIG;
-import static org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginCallbackHandler.SCOPE_CONFIG;
-
 /**
  * {@code ClientCredentialsJwtRetriever} is a {@link JwtRetriever} that performs the steps to request
  * a JWT from an OAuth/OIDC identity provider using the <code>client_credentials</code> grant type. This
@@ -109,27 +96,26 @@ public class ClientCredentialsJwtRetriever implements JwtRetriever {
 
     private static final Logger LOG = LoggerFactory.getLogger(ClientCredentialsJwtRetriever.class);
 
+    private final Time time;
     private HttpJwtRetriever delegate;
 
+    public ClientCredentialsJwtRetriever() {
+        this(Time.SYSTEM);
+    }
+
+    public ClientCredentialsJwtRetriever(Time time) {
+        this.time = time;
+    }
+
     @Override
     public void configure(Map<String, ?> configs, String saslMechanism, List<AppConfigurationEntry> jaasConfigEntries) {
         ConfigurationUtils cu = new ConfigurationUtils(configs, saslMechanism);
         JaasOptionsUtils jou = new JaasOptionsUtils(saslMechanism, jaasConfigEntries);
 
-        ConfigOrJaas configOrJaas = new ConfigOrJaas(cu, jou);
-        String clientId = configOrJaas.clientId();
-        String clientSecret = configOrJaas.clientSecret();
-        String scope = configOrJaas.scope();
-        boolean urlencodeHeader = validateUrlencodeHeader(cu);
-
-        HttpRequestFormatter requestFormatter = new ClientCredentialsRequestFormatter(
-            clientId,
-            clientSecret,
-            scope,
-            urlencodeHeader
-        );
-
+        HttpRequestFormatter requestFormatter = ClientCredentialsRequestFormatterFactory.create(cu, jou, time);
         delegate = new HttpJwtRetriever(requestFormatter);
+
+        LOG.debug("Created instance of {} as delegate", delegate.getClass().getName());
         delegate.configure(configs, saslMechanism, jaasConfigEntries);
     }
 
@@ -145,108 +131,4 @@ public String retrieve() throws JwtRetrieverException {
     public void close() throws IOException {
         Utils.closeQuietly(delegate, "JWT retriever delegate");
     }
-
-    /**
-     * In some cases, the incoming {@link Map} doesn't contain a value for
-     * {@link SaslConfigs#SASL_OAUTHBEARER_HEADER_URLENCODE}. Returning {@code null} from {@link Map#get(Object)}
-     * will cause a {@link NullPointerException} when it is later unboxed.
-     *
-     * <p/>
-     *
-     * This utility method ensures that we have a non-{@code null} value to use in the
-     * {@link HttpJwtRetriever} constructor.
-     */
-    static boolean validateUrlencodeHeader(ConfigurationUtils configurationUtils) {
-        Boolean urlencodeHeader = configurationUtils.get(SASL_OAUTHBEARER_HEADER_URLENCODE);
-        return Objects.requireNonNullElse(urlencodeHeader, DEFAULT_SASL_OAUTHBEARER_HEADER_URLENCODE);
-    }
-
-    /**
-     * Retrieves the values first from configuration, then falls back to JAAS, and, if required, throws an error.
-     */
-    private static class ConfigOrJaas {
-
-        private final ConfigurationUtils cu;
-        private final JaasOptionsUtils jou;
-
-        private ConfigOrJaas(ConfigurationUtils cu, JaasOptionsUtils jou) {
-            this.cu = cu;
-            this.jou = jou;
-        }
-
-        private String clientId() {
-            return getValue(
-                SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_ID,
-                CLIENT_ID_CONFIG,
-                true,
-                cu::validateString,
-                jou::validateString
-            );
-        }
-
-        private String clientSecret() {
-            return getValue(
-                SASL_OAUTHBEARER_CLIENT_CREDENTIALS_CLIENT_SECRET,
-                CLIENT_SECRET_CONFIG,
-                true,
-                cu::validatePassword,
-                jou::validateString
-            );
-        }
-
-        private String scope() {
-            return getValue(
-                SASL_OAUTHBEARER_SCOPE,
-                SCOPE_CONFIG,
-                false,
-                cu::validateString,
-                jou::validateString
-            );
-        }
-
-        private String getValue(String configName,
-                                String jaasName,
-                                boolean isRequired,
-                                Function<String, String> configValueGetter,
-                                Function<String, String> jaasValueGetter) {
-            boolean isPresentInConfig = cu.containsKey(configName);
-            boolean isPresentInJaas = jou.containsKey(jaasName);
-
-            if (isPresentInConfig) {
-                if (isPresentInJaas) {
-                    // Log if the user is using the deprecated JAAS option.
-                    LOG.warn(
-                        "Both the OAuth configuration {} as well as the JAAS option {} (from the {} configuration) were provided. " +
-                        "Since the {} JAAS option is deprecated, it will be ignored and the value from the {} configuration will be used. " +
-                        "Please update your configuration to only use {}.",
-                        configName,
-                        jaasName,
-                        SASL_JAAS_CONFIG,
-                        jaasName,
-                        configName,
-                        configName
-                    );
-                }
-
-                return configValueGetter.apply(configName);
-            } else if (isPresentInJaas) {
-                String value = jaasValueGetter.apply(jaasName);
-
-                // Log if the user is using the deprecated JAAS option.
-                LOG.warn(
-                    "The OAuth JAAS option {} was configured in {}, but that JAAS option is deprecated and will be removed. " +
-                    "Please update your configuration to use the {} configuration instead.",
-                    jaasName,
-                    SASL_JAAS_CONFIG,
-                    configName
-                );
-
-                return value;
-            } else if (isRequired) {
-                throw new ConfigException(configName, null);
-            } else {
-                return null;
-            }
-        }
-    }
 }

clients/src/main/java/org/apache/kafka/common/security/oauthbearer/DefaultJwtRetriever.java

@@ -17,7 +17,8 @@
 
 package org.apache.kafka.common.security.oauthbearer;
 
-import org.apache.kafka.common.security.oauthbearer.internals.secured.ClientCredentialsRequestFormatter;
+import org.apache.kafka.common.security.oauthbearer.internals.secured.ClientAssertionRequestFormatter;
+import org.apache.kafka.common.security.oauthbearer.internals.secured.ClientSecretRequestFormatter;
 import org.apache.kafka.common.security.oauthbearer.internals.secured.ConfigurationUtils;
 import org.apache.kafka.common.utils.Utils;
 
@@ -43,8 +44,8 @@
  *         If the value of <code>sasl.oauthbearer.token.endpoint.url</code> is set to a value that starts with the
  *         <code>file</code> protocol (e.g. <code>file:/tmp/path/to/a/static-jwt.json</code>), an instance of
  *         {@link FileJwtRetriever} will be used as the underlying {@link JwtRetriever}. Otherwise, the URL is
- *         assumed to be an HTTP/HTTPS-based URL, and an instance of {@link ClientCredentialsRequestFormatter} will
- *         be created and used.
+ *         assumed to be an HTTP/HTTPS-based URL, and an instance of {@link ClientAssertionRequestFormatter} or
+ *         {@link ClientSecretRequestFormatter} will be created and used.
  *     </li>
  * </ul>
  *

clients/src/main/java/org/apache/kafka/common/security/oauthbearer/JwtBearerJwtRetriever.java

@@ -21,29 +21,21 @@
 import org.apache.kafka.common.security.oauthbearer.internals.secured.HttpJwtRetriever;
 import org.apache.kafka.common.security.oauthbearer.internals.secured.HttpRequestFormatter;
 import org.apache.kafka.common.security.oauthbearer.internals.secured.JwtBearerRequestFormatter;
-import org.apache.kafka.common.security.oauthbearer.internals.secured.assertion.AssertionCreator;
-import org.apache.kafka.common.security.oauthbearer.internals.secured.assertion.AssertionJwtTemplate;
-import org.apache.kafka.common.security.oauthbearer.internals.secured.assertion.DefaultAssertionCreator;
-import org.apache.kafka.common.security.oauthbearer.internals.secured.assertion.FileAssertionCreator;
-import org.apache.kafka.common.security.oauthbearer.internals.secured.assertion.StaticAssertionJwtTemplate;
+import org.apache.kafka.common.security.oauthbearer.internals.secured.assertion.AssertionSupplierFactory;
+import org.apache.kafka.common.security.oauthbearer.internals.secured.assertion.CloseableSupplier;
 import org.apache.kafka.common.utils.Time;
 import org.apache.kafka.common.utils.Utils;
 
-import java.io.File;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 import java.io.IOException;
 import java.util.List;
 import java.util.Map;
-import java.util.Optional;
-import java.util.function.Supplier;
 
 import javax.security.auth.login.AppConfigurationEntry;
 
-import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_ASSERTION_ALGORITHM;
-import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_ASSERTION_FILE;
-import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_FILE;
-import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_PASSPHRASE;
 import static org.apache.kafka.common.config.SaslConfigs.SASL_OAUTHBEARER_SCOPE;
-import static org.apache.kafka.common.security.oauthbearer.internals.secured.assertion.AssertionUtils.layeredAssertionJwtTemplate;
 
 /**
  * {@code JwtBearerJwtRetriever} is a {@link JwtRetriever} that performs the steps to request
@@ -116,10 +108,11 @@
  */
 public class JwtBearerJwtRetriever implements JwtRetriever {
 
+    private static final Logger LOG = LoggerFactory.getLogger(JwtBearerJwtRetriever.class);
+
     private final Time time;
     private HttpJwtRetriever delegate;
-    private AssertionJwtTemplate assertionJwtTemplate;
-    private AssertionCreator assertionCreator;
+    private CloseableSupplier<String> assertionSupplier;
 
     public JwtBearerJwtRetriever() {
         this(Time.SYSTEM);
@@ -135,32 +128,12 @@ public void configure(Map<String, ?> configs, String saslMechanism, List<AppConf
 
         String scope = cu.validateString(SASL_OAUTHBEARER_SCOPE, false);
 
-        if (cu.validateString(SASL_OAUTHBEARER_ASSERTION_FILE, false) != null) {
-            File assertionFile = cu.validateFile(SASL_OAUTHBEARER_ASSERTION_FILE);
-            assertionCreator = new FileAssertionCreator(assertionFile);
-            assertionJwtTemplate = new StaticAssertionJwtTemplate();
-        } else {
-            String algorithm = cu.validateString(SASL_OAUTHBEARER_ASSERTION_ALGORITHM);
-            File privateKeyFile = cu.validateFile(SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_FILE);
-            Optional<String> passphrase = cu.containsKey(SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_PASSPHRASE) ?
-                Optional.of(cu.validatePassword(SASL_OAUTHBEARER_ASSERTION_PRIVATE_KEY_PASSPHRASE)) :
-                Optional.empty();
-
-            assertionCreator = new DefaultAssertionCreator(algorithm, privateKeyFile, passphrase);
-            assertionJwtTemplate = layeredAssertionJwtTemplate(cu, time);
-        }
-
-        Supplier<String> assertionSupplier = () -> {
-            try {
-                return assertionCreator.create(assertionJwtTemplate);
-            } catch (Exception e) {
-                throw new JwtRetrieverException(e);
-            }
-        };
+        assertionSupplier = AssertionSupplierFactory.create(cu, time);
 
         HttpRequestFormatter requestFormatter = new JwtBearerRequestFormatter(scope, assertionSupplier);
 
         delegate = new HttpJwtRetriever(requestFormatter);
+        LOG.debug("Created instance of {} as delegate", delegate.getClass().getName());
         delegate.configure(configs, saslMechanism, jaasConfigEntries);
     }
 
@@ -174,8 +147,7 @@ public String retrieve() throws JwtRetrieverException {
 
     @Override
     public void close() throws IOException {
-        Utils.closeQuietly(assertionCreator, "JWT assertion creator");
-        Utils.closeQuietly(assertionJwtTemplate, "JWT assertion template");
+        Utils.closeQuietly(assertionSupplier, "JWT assertion supplier");
         Utils.closeQuietly(delegate, "JWT retriever delegate");
     }
 }