search

strimzi / strimzi-kafka-oauth

OAuth2 support for Apache Kafka® to work with many OAuth2 authorization servers
Apache License 2.0
146 stars 90 forks source link

Unable to complete the authentication process with Keycloak #247

Closed mroiter-larus closed 1 week ago

mroiter-larus commented 1 month ago

Hi @mstruk ,

i'm trying to use the latest version (0.15.0) of the library in order to setup Kafka authentication via OAUTHBEARER protcol (over SASL_SSL with self-signed certificates). Starting from the Confluent Kafka community edition, i customized the original Docker image importing the strimzi-kafka-oauth JARs as mentioned in the documentation.

On the Keycloak side i've setup a kafkaBroker client as service account roles only:

Screenshot 2024-10-28 at 10 46 41

with the following client scopes:

Screenshot 2024-10-28 at 10 48 10

Following a snippet of the docker-compose i've used to setup Kafka security:

...
...
      KAFKA_LOG4J_LOGGERS: 'kafka=WARN,kafka.controller=WARN,kafka.log.LogCleaner=WARN,state.change.logger=WARN,kafka.producer.async.DefaultEventHandler=WARN,log4j.logger.io.strimzi=DEBUG,log4j.logger.io.strimzi.kafka.oauth=DEBUG'
      KAFKA_ADVERTISED_LISTENERS: INTERNAL://kafka:9092,OAUTH://kafka:10092,SSL://kafka:11092,CLEAR://kafka:12092
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: INTERNAL:SASL_PLAINTEXT,OAUTH:SASL_SSL,SSL:SSL,CLEAR:PLAINTEXT
      KAFKA_SUPER_USERS: User:kafkaAdmin;User:ANONYMOUS;User:service-account-kafkabroker;User:client-account-kafkaBroker;User:client-account-kadeck;
      KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: OAUTHBEARER
      KAFKA_SASL_ENABLED_MECHANISMS: OAUTHBEARER
      KAFKA_INTER_BROKER_LISTENER_NAME: OAUTH

      KAFKA_LISTENER_NAME_OAUTH_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS: io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler
      KAFKA_LISTENER_NAME_OAUTH_OAUTHBEARER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
      KAFKA_LISTENER_NAME_OAUTH_OAUTHBEARER_SASL_JAAS_CONFIG: org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
            oauth.client.id="kafkaBroker" \
            oauth.client.secret="*****" \
            oauth.token.endpoint.uri="http://keycloak:9090/realms/KafkaCluster/protocol/openid-connect/token" \
            oauth.valid.issuer.uri="http://keycloak:9090/realms/KafkaCluster" \
            oauth.jwks.endpoint.uri="http://keycloak:9090/realms/KafkaCluster/protocol/openid-connect/certs" \
            oauth.username.claim="preferred_username" \
            unsecuredLoginPrincipalClaimName="preferred_username" \
            unsecuredLoginStringClaim_sub="service-account-kafkabroker";

      KAFKA_AUTHORIZER_CLASS_NAME: io.strimzi.kafka.oauth.server.authorizer.KeycloakAuthorizer
      KAFKA_PRINCIPAL_BUILDER_CLASS: io.strimzi.kafka.oauth.server.OAuthKafkaPrincipalBuilder

      # Authentication config
      OAUTH_CLIENT_ID: "kafkaBroker"
      OAUTH_CLIENT_SECRET: "*****"
      OAUTH_TOKEN_ENDPOINT_URI: "http://keycloak:9090/realms/KafkaCluster/protocol/openid-connect/token"
      OAUTH_HTTP_RETRIES: 2
      OAUTH_HTTP_RETRY_PAUSE_MILLIS: 500
      OAUTH_VALID_ISSUER_URI: "http://keycloak:9090/realms/KafkaCluster"
      OAUTH_JWKS_ENDPOINT_URI: "http://keycloak:9090/realms/KafkaCluster/protocol/openid-connect/certs"
      OAUTH_USERNAME_CLAIM: "preferred_username"
      OAUTH_FALLBACK_USERNAME_CLAIM: "client_id"
      OAUTH_FALLBACK_USERNAME_PREFIX: "client-account-"
      # minimum pause between two consecutive scheduled keys refreshes - the default is 1 second
      OAUTH_JWKS_REFRESH_MIN_PAUSE_SECONDS: "5"
      STRIMZI_AUTHORIZATION_TOKEN_ENDPOINT_URI: "http://keycloak:9090/realms/KafkaCluster/protocol/openid-connect/token"
      STRIMZI_AUTHORIZATION_CLIENT_ID: "kafkaBroker"
      STRIMZI_AUTHORIZATION_HTTP_RETRIES: 1

I've added some custom logs in the library in order to debug the authentication phase and here is what i can see in the Kafka logs:

DEBUG Configured JaasClientOauthLoginCallbackHandler:
kafka  |     configId: client
kafka  |     token: null
kafka  |     tokenLocation: null
kafka  |     refreshToken: null
kafka  |     refreshTokenLocation: null
kafka  |     tokenEndpointUri: http://keycloak:9090/realms/KafkaCluster/protocol/openid-connect/token
kafka  |     clientId: kafkaBroker
kafka  |     clientSecret: ****
kafka  |     clientAssertion: null
kafka  |     clientAssertionLocation: null
kafka  |     clientAssertionType: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
kafka  |     username: null
kafka  |     password: null
kafka  |     scope: null
kafka  |     audience: null
kafka  |     isJwt: true
kafka  |     maxTokenExpirySeconds: -1
kafka  |     principalExtractor: PrincipalExtractor {usernameClaim: preferred_username, usernamePrefix: null, fallbackUsernameClaim: client_id, fallbackUsernamePrefix: client-account-}
kafka  |     connectTimeout: 60
kafka  |     readTimeout: 60
kafka  |     retries: 2
kafka  |     retryPauseMillis: 500
kafka  |     enableMetrics: false
kafka  |     includeAcceptHeader: true
kafka  |     saslExtensions: {} (io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler)

so it seems the login callback handler is detected correctly. In fact in the following logs i can see the login has been done successfully:

DEBUG loginWithClientSecret() - tokenEndpointUrl: http://keycloak:9090/realms/KafkaCluster/protocol/openid-connect/token, clientId: kafkaBroker, clientSecret: ****, scope: null, audience: null, connectTimeout: 60, readTimeout: 60, retries: 2, retryPauseMillis: 500 (io.strimzi.kafka.oauth.common.OAuthAuthenticator)
kafka  | [2024-10-25 17:49:20,227] DEBUG Login succeeded; invoke commit() to commit it; current committed token count=0 (org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule)
kafka  | [2024-10-25 17:49:20,227] DEBUG Done committing my token; committed token count is now 1 (org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule)
kafka  | [2024-10-25 17:49:20,227] INFO Successfully logged in. (org.apache.kafka.common.security.oauthbearer.internals.expiring.ExpiringCredentialRefreshingLogin)

But, after the above successful login, the following happens:

DEBUG Found expiring credential with principal 'service-account-kafkabroker'. (org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerRefreshingLogin)
kafka  | [2024-10-25 17:49:20,228] DEBUG [Principal=:service-account-kafkabroker]: It is an expiring credential (org.apache.kafka.common.security.oauthbearer.internals.expiring.ExpiringCredentialRefreshingLogin)
kafka  | [2024-10-25 17:49:20,229] INFO [Principal=:service-account-kafkabroker]: Expiring credential re-login thread started. (org.apache.kafka.common.security.oauthbearer.internals.expiring.ExpiringCredentialRefreshingLogin)
kafka  | [2024-10-25 17:49:20,241] INFO [Principal=service-account-kafkabroker]: Expiring credential valid from Fri Oct 25 17:49:20 CEST 2024 to Fri Oct 25 17:54:20 CEST 2024 (org.apache.kafka.common.security.oauthbearer.internals.expiring.ExpiringCredentialRefreshingLogin)
kafka  | [2024-10-25 17:49:20,241] WARN [Principal=:service-account-kafkabroker]: Expiring credential expires at Fri Oct 25 17:54:20 CEST 2024, so buffer times of 60 and 300 seconds at the front and back, respectively, cannot be accommodated.  We will refresh at Fri Oct 25 17:53:21 CEST 2024. (org.apache.kafka.common.security.oauthbearer.internals.expiring.ExpiringCredentialRefreshingLogin)
kafka  | [2024-10-25 17:49:20,241] INFO [Principal=:service-account-kafkabroker]: Expiring credential re-login sleeping until: Fri Oct 25 17:53:21 CEST 2024 (org.apache.kafka.common.security.oauthbearer.internals.expiring.ExpiringCredentialRefreshingLogin)
kafka  | [2024-10-25 17:49:20,289] DEBUG Created SSL context with keystore SecurityStore(path=/etc/kafka/secrets/kafka.kafka.keystore.jks, modificationTime=Thu Sep 05 12:38:39 CEST 2024), truststore SecurityStore(path=/etc/kafka/secrets/kafka.kafka.truststore.jks, modificationTime=Thu Sep 05 12:38:40 CEST 2024), provider SunJSSE. (org.apache.kafka.common.security.ssl.DefaultSslEngineFactory)
kafka  | [2024-10-25 17:49:20,698] ERROR No principal name in JWT claim: sub (org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule)
kafka  | java.io.IOException: No principal name in JWT claim: sub
kafka  |    at org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredLoginCallbackHandler.handle(OAuthBearerUnsecuredLoginCallbackHandler.java:165)
kafka  |    at org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule.identifyToken(OAuthBearerLoginModule.java:316)
kafka  |    at org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule.login(OAuthBearerLoginModule.java:301)
kafka  |    at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:747)
kafka  |    at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:672)
kafka  |    at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:670)
kafka  |    at java.base/java.security.AccessController.doPrivileged(Native Method)
kafka  |    at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:670)
kafka  |    at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:581)
kafka  |    at org.apache.kafka.common.security.authenticator.AbstractLogin.login(AbstractLogin.java:60)
kafka  |    at org.apache.kafka.common.security.authenticator.LoginManager.<init>(LoginManager.java:62)
kafka  |    at org.apache.kafka.common.security.authenticator.LoginManager.acquireLoginManager(LoginManager.java:112)
kafka  |    at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:170)
kafka  |    at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:192)
kafka  |    at org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:107)
kafka  |    at kafka.network.Processor.<init>(SocketServer.scala:922)
kafka  |    at kafka.network.Acceptor.newProcessor(SocketServer.scala:830)
kafka  |    at kafka.network.Acceptor.$anonfun$addProcessors$1(SocketServer.scala:800)
kafka  |    at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:190)
kafka  |    at kafka.network.Acceptor.addProcessors(SocketServer.scala:799)
kafka  |    at kafka.network.DataPlaneAcceptor.configure(SocketServer.scala:503)
kafka  |    at kafka.network.SocketServer.createDataPlaneAcceptorAndProcessors(SocketServer.scala:228)
kafka  |    at kafka.network.SocketServer.$anonfun$new$31(SocketServer.scala:173)
kafka  |    at kafka.network.SocketServer.$anonfun$new$31$adapted(SocketServer.scala:173)
kafka  |    at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:575)
kafka  |    at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:573)
kafka  |    at scala.collection.AbstractIterable.foreach(Iterable.scala:933)
kafka  |    at kafka.network.SocketServer.<init>(SocketServer.scala:173)
kafka  |    at kafka.server.KafkaServer.startup(KafkaServer.scala:332)
kafka  |    at kafka.Kafka$.main(Kafka.scala:115)
kafka  |    at kafka.Kafka.main(Kafka.scala)
kafka  | Caused by: org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerConfigException: No principal name in JWT claim: sub
kafka  |    at org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredLoginCallbackHandler.handleTokenCallback(OAuthBearerUnsecuredLoginCallbackHandler.java:219)
kafka  |    at org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredLoginCallbackHandler.handle(OAuthBearerUnsecuredLoginCallbackHandler.java:163)
kafka  |    ... 30 more
kafka  | Caused by: org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerIllegalTokenException: No principal name in JWT claim: sub
kafka  |    at org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredJws.<init>(OAuthBearerUnsecuredJws.java:109)
kafka  |    at org.apache.kafka.common.security.oauthbearer.internals.unsecured.OAuthBearerUnsecuredLoginCallbackHandler.handleTokenCallback(OAuthBearerUnsecuredLoginCallbackHandler.java:211)
kafka  |    ... 31 more

As you can see here the login callback handler is OAuthBearerUnsecuredLoginCallbackHandler and not the one i had setup (JaasClientOauthLoginCallbackHandler). I can't understand why this is happening.

After that, Kafka startup process ends with the following error:

ERROR [KafkaServer id=1] Fatal error during KafkaServer startup. Prepare to shutdown (kafka.server.KafkaServer)
kafka  | org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: An internal error occurred while retrieving token from callback handler
kafka  |    at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:184)
kafka  |    at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:192)
kafka  |    at org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:107)
kafka  |    at kafka.network.Processor.<init>(SocketServer.scala:922)
kafka  |    at kafka.network.Acceptor.newProcessor(SocketServer.scala:830)
kafka  |    at kafka.network.Acceptor.$anonfun$addProcessors$1(SocketServer.scala:800)
kafka  |    at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:190)
kafka  |    at kafka.network.Acceptor.addProcessors(SocketServer.scala:799)
kafka  |    at kafka.network.DataPlaneAcceptor.configure(SocketServer.scala:503)
kafka  |    at kafka.network.SocketServer.createDataPlaneAcceptorAndProcessors(SocketServer.scala:228)
kafka  |    at kafka.network.SocketServer.$anonfun$new$31(SocketServer.scala:173)
kafka  |    at kafka.network.SocketServer.$anonfun$new$31$adapted(SocketServer.scala:173)
kafka  |    at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:575)
kafka  |    at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:573)
kafka  |    at scala.collection.AbstractIterable.foreach(Iterable.scala:933)
kafka  |    at kafka.network.SocketServer.<init>(SocketServer.scala:173)
kafka  |    at kafka.server.KafkaServer.startup(KafkaServer.scala:332)
kafka  |    at kafka.Kafka$.main(Kafka.scala:115)
kafka  |    at kafka.Kafka.main(Kafka.scala)
kafka  | Caused by: javax.security.auth.login.LoginException: An internal error occurred while retrieving token from callback handler
kafka  |    at org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule.identifyToken(OAuthBearerLoginModule.java:319)
kafka  |    at org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule.login(OAuthBearerLoginModule.java:301)
kafka  |    at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:747)
kafka  |    at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:672)
kafka  |    at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:670)
kafka  |    at java.base/java.security.AccessController.doPrivileged(Native Method)
kafka  |    at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:670)
kafka  |    at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:581)
kafka  |    at org.apache.kafka.common.security.authenticator.AbstractLogin.login(AbstractLogin.java:60)
kafka  |    at org.apache.kafka.common.security.authenticator.LoginManager.<init>(LoginManager.java:62)
kafka  |    at org.apache.kafka.common.security.authenticator.LoginManager.acquireLoginManager(LoginManager.java:112)
kafka  |    at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:170)
kafka  |    ... 18 more

Am i missing something in the configuration?? Any suggestions would be really appreciated?? If you need further details about the configuration please let me know.

Thanks in advance!

Mauro

mroiter-larus commented 1 week ago

@scholzj any suggestions please?

scholzj commented 1 week ago

Sorry, I don't know much about OAuth. Plus Confluent platform is a fork of Apache Kafka and I have zero experience with it. So who knows if it even works there.

scholzj commented 1 week ago

@mstruk Do you have any idea about this? You might at least understand the OAuth part.

mstruk commented 1 week ago

The provided info does not point to a definite cause. It could be listeners misconfiguration, it could be Keycloak realm misconfiguration ... In principle OAuth should work fine with Confluent platform as it does not care about a distribution itself only that you use the upstream-compatible Kafka.

@mroiter-larus You should really turn on DEBUG logging for logger io.strimzi and provide the full output of that log. Also, it would help to see the content of server.properties. The exception that you get points to the interbroker channel failure - it seems that you configured your Kafka so that the interbroker communication also uses the OAUTHBEARER protected listener and the client side of it tries to authenticate. The way you configured token validation it seems to expect to extract the user id from the JWT token's sub claim but it seems there is no such claim in the token that you get from the Keycloak.

It's as if your OAUTH_USERNAME_CLAIM is ignored or the Keycloak's access token uses a different claim name - for example username rather than preferred_username. You should inspect the JWT token you get from the Keycloak.

mroiter-larus commented 1 week ago

@scholzj @mstruk Thanks for pointing me to the Kafka listeners. That was misconfigured. I'm finally be able to complete the authentication process using the following configuration:

KAFKA_LOG4J_ROOT_LOGLEVEL: 'DEBUG'
KAFKA_LOG4J_LOGGERS: 'kafka=WARN,kafka.controller=WARN,kafka.log.LogCleaner=WARN,state.change.logger=WARN,kafka.producer.async.DefaultEventHandler=WARN,log4j.logger.io.strimzi=DEBUG,log4j.logger.io.strimzi.kafka.oauth=DEBUG'
KAFKA_ADVERTISED_LISTENERS: INTERNAL://kafka:9092,OAUTH://kafka:10092,SSL://kafka:11092,CLEAR://kafka:12092
KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: INTERNAL:SASL_PLAINTEXT,OAUTH:SASL_SSL,SSL:SSL,CLEAR:PLAINTEXT
KAFKA_SASL_MECHANISM_INTER_BROKER_PROTOCOL: OAUTHBEARER
KAFKA_SASL_ENABLED_MECHANISMS: OAUTHBEARER
KAFKA_INTER_BROKER_LISTENER_NAME: OAUTH
KAFKA_LISTENER_NAME_OAUTH_OAUTHBEARER_SASL_SERVER_CALLBACK_HANDLER_CLASS: io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler
KAFKA_LISTENER_NAME_OAUTH_OAUTHBEARER_SASL_LOGIN_CALLBACK_HANDLER_CLASS: io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
KAFKA_OPTS: -Djava.security.auth.login.config=/etc/kafka/secrets/broker_jaas.conf

and then pointing to a static JAAS config file:

KafkaServer {
    org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required 
        oauth.client.id="kafkaBroker" 
        oauth.client.secret="****"
        oauth.token.endpoint.uri="https://<keycloak_host>:9553/realms/KafkaCluster/protocol/openid-connect/token"
        oauth.valid.issuer.uri="https://<keycloak_host>:9553/realms/KafkaCluster"
        oauth.jwks.endpoint.uri="https://<keycloak_host>:9553/realms/KafkaCluster/protocol/openid-connect/certs"
        oauth.username.claim="preferred_username"
        unsecuredLoginStringClaim_sub="unused";
};

KafkaClient {
    org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
        oauth.client.id="kafkaBroker"
        oauth.client.secret="****"
        oauth.token.endpoint.uri="https://<keycloak_host>:9553/realms/KafkaCluster/protocol/openid-connect/token"
        oauth.jwks.endpoint.uri="https://<keycloak_host>:9553/realms/KafkaCluster/protocol/openid-connect/certs"
        oauth.username.claim="preferred_username";
};

As you can see from the Kafka broker configuration part, i had already enabled the DEBUG logs for io.strimzi package and now i can finally see the authentication has been established successfully:

kafka  | [2024-11-20 11:01:32,053] DEBUG Access token expires at (UTC): 2024-11-20T10:06:29 (io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler)
kafka  | [2024-11-20 11:01:32,057] DEBUG User validated (Principal:service-account-kafkabroker) (io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler)
kafka  | [2024-11-20 11:01:32,059] INFO ### CHECK LOG LEVEL 'true' ### (io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler)
kafka  | [2024-11-20 11:01:32,070] DEBUG Set validated token on callback: BearerTokenWithPayloadImpl (principalName: service-account-kafkabroker, groups: null, lifetimeMs: 1732097189000 [2024-11-20T10:06:29 UTC], startTimeMs: 1732096889000 [2024-11-20T10:01:29 UTC], scope: [openid, profile, email], payload: {"exp":1732097189,"iat":1732096889,"jti":"aab24feb-4e9a-41c0-a87c-0a9201bc80fa","iss":"https://<keycloak_host>:9553/realms/KafkaCluster","aud":["kafkaBroker","account"],"sub":"51ebb679-4b74-4790-abd2-5f3577aeda70","typ":"Bearer","azp":"kafkaBroker","acr":"1","allowed-origins":["/*"],"realm_access":{"roles":["offline_access","uma_authorization","default-roles-kafkacluster"]},"resource_access":{"kafkaBroker":{"roles":["uma_protection"]},"account":{"roles":["manage-account","manage-account-links","view-profile"]}},"scope":"profile email openid","clientHost":"172.18.0.1","email_verified":false,"preferred_username":"service-account-kafkabroker","clientAddress":"172.18.0.1","client_id":"kafkaBroker"}, sessionId: 1669634415) (io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler)
kafka  | [2024-11-20 11:01:32,071] DEBUG Successfully authenticate User=service-account-kafkabroker (org.apache.kafka.common.security.oauthbearer.internals.OAuthBearerSaslServer)
kafka  | [2024-11-20 11:01:32,072] DEBUG Authentication complete; session max lifetime from broker config=3600000 ms, credential expiration=Wed Nov 20 11:06:29 CET 2024 (296929 ms); session expiration = Wed Nov 20 11:06:29 CET 2024 (296929 ms), sending 296929 ms to client (org.apache.kafka.common.security.authenticator.SaslServerAuthenticator)

Thanks for your support!