0.11.0-rc4

Main Changes since 0.10.x

Added OAuth metrics support

Added support for OAuth related metrics. It is disabled by default. To enable it set oauth.enable.metrics OAuth configuration option to true. Use metrics.reporters, and other Kafka configuration metrics.* options to configure the behaviour of metrics capture and how they are exported.

Added password grant support

The Resource Owner Password Credentials support was added for interoperability in existing corporate environments where established security policies prevent using client credentials to authenticate the client applications. The reason can also be purely technical in that the existing Identity and Access Management solution (IAM) only supports user accounts, even where the 'user' is actually an application service.

Added oauth.jwks.ignore.key.use config option

Set this option to true in order to use all the keys in the JWKS response for token signature validation, regardless of their use attribute.
This makes it possible to use authorization servers that don't specify use attribute in JWKS keys.

Added support for unprotected truststores

Truststores with empty password are now supported

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.11.0 milestone.

Staging repository

To test the release, use the staging repository by including following in your pom.xml:

  <repositories>
    <repository>
      <id>staging</id>
      <url>https://oss.sonatype.org/content/repositories/iostrimzi-1195</url>
    </repository>
  </repositories>

0.11.0-rc3

Main Changes since 0.10.x

Added OAuth metrics support

Added support for OAuth related metrics. It is disabled by default. To enable it set oauth.enable.metrics OAuth configuration option to true. Use metrics.reporters, and other Kafka configuration metrics.* options to configure the behaviour of metrics capture and how they are exported.

Added password grant support

The Resource Owner Password Credentials support was added for interoperability in existing corporate environments where established security policies prevent using client credentials to authenticate the client applications. The reason can also be purely technical in that the existing Identity and Access Management solution (IAM) only supports user accounts, even where the 'user' is actually an application service.

Added oauth.jwks.ignore.key.use config option

Set this option to true in order to use all the keys in the JWKS response for token signature validation, regardless of their use attribute.
This makes it possible to use authorization servers that don't specify use attribute in JWKS keys.

Added support for unprotected truststores

Truststores with empty password are now supported

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.11.0 milestone.

Staging repository

To test the release, use the staging repository by including following in your pom.xml:

  <repositories>
    <repository>
      <id>staging</id>
      <url>https://oss.sonatype.org/content/repositories/iostrimzi-1194</url>
    </repository>
  </repositories>

0.11.0-rc2

Main Changes since 0.10.x

Added OAuth metrics support

Added support for OAuth related metrics. It is disabled by default. To enable it set oauth.enable.metrics OAuth configuration option to true. Use metrics.reporters, and other Kafka configuration metrics.* options to configure the behaviour of metrics capture and how they are exported.

Added password grant support

The Resource Owner Password Credentials support was added for interoperability in existing corporate environments where established security policies prevent using client credentials to authenticate the client applications. The reason can also be purely technical in that the existing Identity and Access Management solution (IAM) only supports user accounts, even where the 'user' is actually an application service.

Added oauth.jwks.ignore.key.use config option

Set this option to true in order to use all the keys in the JWKS response for token signature validation, regardless of their use attribute.
This makes it possible to use authorization servers that don't specify use attribute in JWKS keys.

Added support for unprotected truststores

Truststores with empty password are now supported

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.11.0 milestone.

Staging repository

To test the release, use the staging repository by including following in your pom.xml:

  <repositories>
    <repository>
      <id>staging</id>
      <url>https://oss.sonatype.org/content/repositories/iostrimzi-1193</url>
    </repository>
  </repositories>

0.11.0-rc1

Main Changes since 0.10.x

Added OAuth metrics support

Added support for OAuth related metrics. It is disabled by default. To enable it set oauth.enable.metrics OAuth configuration option to true. Use metrics.reporters, and other Kafka configuration metrics.* options to configure the behaviour of metrics capture and how they are exported.

Added password grant support

The Resource Owner Password Credentials support was added for interoperability in existing corporate environments where established security policies prevent using client credentials to authenticate the client applications. The reason can also be purely technical in that the existing Identity and Access Management solution (IAM) only supports user accounts, even where the 'user' is actually an application service.

Added oauth.jwks.ignore.key.use config option

Set this option to true in order to use all the keys in the JWKS response for token signature validation, regardless of their use attribute.
This makes it possible to use authorization servers that don't specify use attribute in JWKS keys.

Added support for unprotected truststores

Truststores with empty password are now supported

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.11.0 milestone.

Staging repository

To test the release, use the staging repository by including following in your pom.xml:

  <repositories>
    <repository>
      <id>staging</id>
      <url>https://oss.sonatype.org/content/repositories/iostrimzi-1187</url>
    </repository>
  </repositories>

0.10.0

Main Changes since 0.9.x

Added connect and read timeouts for communication with authorization server

Before, when Kafka client or broker connected to the authorization server during authentication or token validation, there was no connect timeout and no read timeout applied. As a result, if a reverse proxy was in front of the authorization server or a network component glitch prevented normal connectivity, it could happen that the authentication request would stall for a long time.

In order to address this, the default connect timeout and read timeout are now both set to 60 seconds and they are configurable via oauth.connect.timeout.seconds and oauth.read.timeout.seconds.

Added groups extraction and exposed groups info via OAuthKafkaPrincipal

Added an authentication time mechanism on the broker where a JsonPath query can be configured to extract a set of groups from a JWT token during authentication. A custom authorizer can then retrieve this information through OAuthKafkaPrincipal object available during the authorize() call.

Added access to parsed JWT token

When writing a custom authorizer you may need access to the already parsed JWT token or a map of claims returned by the introspection endpoint. A getJSON() method has been added to BearerTokenWithPayload.

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.10.0 milestone.

0.10.0-rc1

Main Changes since 0.9.x

Added connect and read timeouts for communication with authorization server

Before, when Kafka client or broker connected to the authorization server during authentication or token validation, there was no connect timeout and no read timeout applied. As a result, if a reverse proxy was in front of the authorization server or a network component glitch prevented normal connectivity, it could happen that the authentication request would stall for a long time.

In order to address this, the default connect timeout and read timeout are now both set to 60 seconds and they are configurable via oauth.connect.timeout.seconds and oauth.read.timeout.seconds.

Added groups extraction and exposed groups info via OAuthKafkaPrincipal

Added an authentication time mechanism on the broker where a JsonPath query can be configured to extract a set of groups from a JWT token during authentication. A custom authorizer can then retrieve this information through OAuthKafkaPrincipal object available during the authorize() call.

Added access to parsed JWT token

When writing a custom authorizer you may need access to the already parsed JWT token or a map of claims returned by the introspection endpoint. A getJSON() method has been added to BearerTokenWithPayload.

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.10.0 milestone.

Staging repository

To test the release, use the staging repository by including following in your pom.xml:

  <repositories>
    <repository>
      <id>staging</id>
      <url>https://oss.sonatype.org/content/repositories/iostrimzi-1161</url>
    </repository>
  </repositories>

0.9.0

Main Changes since 0.8.x

KeycloakRBACAuthorizer and OAuthSessionAuthorizer migrated to KIP-504

The authorizers have been migrated to Authorizer API that has been introduced in Kafka 2.4.0.
As a result the authorizer no longer works in Kafka 2.3.x and earlier versions.

The logging to .grant and .deny logs now takes into account hints from Kafka about whether the authorization decision for specific action should be logged or not.

Fixed a parsing bug in KeycloakRBACAuthorizer

Fixed a bug when parsing a kafka-cluster section of a Keycloak authorization services resource pattern.

If Keycloak authorization services grants were targeted using a pattern ending with * as in kafka-cluster:*,Topic:my_topic or kafka-cluster:prod_*,Topic:my_topic, the parsing was invalid and resulted in matching of the grant rule to always fail (authorization was denied).

Using just Topic:my_topic would correctly match any cluster, and kafka-cluster:my-cluster,Topic:my_topic would match only if my-cluster was set as a cluster name.

Fixed concurrency issue with OAuth over PLAIN

If multiple producers or consumers were used concurrently with the same credentials there was a high likelihood of principal presenting as KafkaPrincipal rather than OAuthKafkaPrincipal after successful authentication. As a result, custom authorizer would not recognise and properly match such a session during authorization check. Depending on the custom authorizer it could result in the delegation of authorization decisions to ACL Authorizer, or it might result in denial of permissions.

Improved error reporting when using Quarkus native without the https enabled

When preparing an https connection to authorization server the reported error would say that the URL was malformed, and the actual cause was not logged.

Token type check now also passes if 'token_type: "Bearer"' claim is present in JWT token

By default enabled option oauth.check.access.token.type triggeres a token type check which checks that the value of typ claim in JWT token is set to Bearer. If typ claim is not present it now falls back to checking if token_type claim with value Bearer is present in the access token.

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.9.0 milestone.

0.9.0-rc1

Main Changes since 0.8.x

KeycloakRBACAuthorizer and OAuthSessionAuthorizer migrated to KIP-504

The authorizers have been migrated to Authorizer API that has been introduced in Kafka 2.4.0.
As a result the authorizer no longer works in Kafka 2.3.x and earlier versions.

The logging to .grant and .deny logs now takes into account hints from Kafka about whether the authorization decision for specific action should be logged or not.

Fixed a parsing bug in KeycloakRBACAuthorizer

Fixed a bug when parsing a kafka-cluster section of a Keycloak authorization services resource pattern.

If Keycloak authorization services grants were targeted using a pattern ending with * as in kafka-cluster:*,Topic:my_topic or kafka-cluster:prod_*,Topic:my_topic, the parsing was invalid and resulted in matching of the grant rule to always fail (authorization was denied).

Using just Topic:my_topic would correctly match any cluster, and kafka-cluster:my-cluster,Topic:my_topic would match only if my-cluster was set as a cluster name.

Fixed concurrency issue with OAuth over PLAIN

If multiple producers or consumers were used concurrently with the same credentials there was a high likelihood of principal presenting as KafkaPrincipal rather than OAuthKafkaPrincipal after successful authentication. As a result, custom authorizer would not recognise and properly match such a session during authorization check. Depending on the custom authorizer it could result in the delegation of authorization decisions to ACL Authorizer, or it might result in denial of permissions.

Improved error reporting when using Quarkus native without the https enabled

When preparing an https connection to authorization server the reported error would say that the URL was malformed, and the actual cause was not logged.

Token type check now also passes if 'token_type: "Bearer"' claim is present in JWT token

By default enabled option oauth.check.access.token.type triggeres a token type check which checks that the value of typ claim in JWT token is set to Bearer. If typ claim is not present it now falls back to checking if token_type claim with value Bearer is present in the access token.

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.9.0 milestone.

Staging repository

To test the release, use the staging repository by including following in your pom.xml:

  <repositories>
    <repository>
      <id>staging</id>
      <url>https://oss.sonatype.org/content/repositories/iostrimzi-1122</url>
    </repository>
  </repositories>

0.8.1

Main Changes since 0.8.0

• Update dependencies to resolve CVE-2021-27568.

0.8.0

Main Changes since 0.7.x

Support for PEM certificates

PEM certificates can now be used directly without being converted to Java Keystore or PKCS12 formats.
To use PEM certificates, set the oauth.ssl.truststore.type option to PEM and either specify location of the PEM file in oauth.ssl.truststore.location or set the certificates directly in oauth.ssl.truststore.certificates.

Replaced keycloak-core library with nimbus-jose-jwt

Now JWT token validation uses a different third-party library. As a result ECDSA support no longer requires the BouncyCastle library. Also, some JWT tokens that would fail previously, can now be handled, widening the support of different authorization servers.

Option oauth.audience has been added to client and server configuration

Sometimes authorization server may require audience option to be passed when authenticating to the token endpoint.

Pass the configured oauth.scope option on the Kafka broker as scope when performing clientId + secret authentication on the broker

While the option has existed, it was only used for inter-broker authentication, but not for OAuth over PLAIN.

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.8.0 milestone.