Closed vperi1730 closed 4 years ago
scholzj
commented
4 years ago I do not think anyone from the Strimzi team tried it. So you will need to figure it out your self. For the TLS, maybe you need to provide certificate or something: https://strimzi.io/docs/operators/latest/full/using.html#type-KafkaListenerAuthenticationOAuth-reference
vperi1730
commented
4 years ago Hi Scholzj,
I am getting the below error while running the producer sh after enabling the Oauth in the CR. I haven't set this grant type anywhere in my Kafka CR, however i knew that the value has to be authorization_code instead of client_credentials.
Do we have any workaround to resolve this?
tls:
authentication:
type: oauth
validIssuerUri: "https://accounts.google.com/o/oauth2/v2/auth"
introspectionEndpointUri: "https://accounts.google.com/o/oauth2/token"
clientId: "835970994981-14mqluev54fa9vutrmpkj89fjppacd49.apps.googleusercontent.com"
clientSecret:
secretName: my-client-oauth-secret
key: client-secret[kafka@kafka-oauth-cluster-kafka-0 kafka]$ ./bin/kafka-console-producer.sh --broker-list kafka-oauth-cluster-kafka-bootstrap.kafka-oauth:9093 --topic july22-topic --producer-property 'security.protocol=SASL_SSL' --producer-property 'sasl.mechanism=OAUTHBEARER' --producer-property 'sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;' --producer-property 'sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler'
OpenJDK 64-Bit Server VM warning: If the number of processors is expected to increase from one, then you should configure the number of parallel GC threads appropriately using -XX:ParallelGCThreads=N
org.apache.kafka.common.KafkaException: Failed to construct kafka producer
at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:432)
at org.apache.kafka.clients.producer.KafkaProducer.<init>(KafkaProducer.java:298)
at kafka.tools.ConsoleProducer$.main(ConsoleProducer.scala:45)
at kafka.tools.ConsoleProducer.main(ConsoleProducer.scala)
Caused by: org.apache.kafka.common.KafkaException: javax.security.auth.login.LoginException: io.strimzi.kafka.oauth.common.HttpException: POST request to https://accounts.google.com/o/oauth2/token failed with status 400: {
"error": "unsupported_grant_type",
"error_description": "Invalid grant_type: client_credentials"
}
I think you are mixing very different use cases. This is not a web application which would use OAuth for people to log in. OAuth in Kafka is used for applications and not for persons. That means it is using different mechanisms such as client credentials etc. You cannot expect that some person will be logging into Google every time some pod restarts in Kubernetes cluster in order to authenticate.
I have no idea if there are some workarounds or ways to make this work through some hacks etc. But it is well beyond our scope in Strimzi.
vperi1730
commented
4 years ago Does strimzi support Google Oauth2.0 authorization server approach as in the documentation I see it for Keycloak and Hydra only and nowhere it is mentioned if any other list is supported??
Basically I have a requirement to enable Kafka with auth type as Oauth using Google Oauth2 API, So I was trying all the configurations provided in the Strimzi doc, couldn't get there somehow.
scholzj
commented
4 years ago Does strimzi support Google Oauth2.0 authorization server approach as in the documentation I see it for Keycloak and Hydra only and nowhere it is mentioned if any other list is supported??
Well, I told you right at the beginning that I'm sure that nobody tried it. Please understand that this is an open source project - nobody gives you any guarantees that something does or doesn't work. As you noticed, we are testing against Keycloak and Hydra. If you need more, you might need to figure it out your self and contribute it to the project.
Basically I have a requirement to enable Kafka with auth type as Oauth using Google Oauth2 API, So I was trying all the configurations provided in the Strimzi doc, couldn't get there somehow.
I'm not sure what your use case is. But as I said before, Google IMHO does not offer a regular OAuth 2.0 Authorization server. It just lets you use their accounts for logging in into different WebApps. This is a very different use case from securing application to application communication with a protocol like Kafka. So it might be non-trivial to get it working.
vperi1730
commented
4 years ago Sure, I agree with this. Thanks, Scholzj.
forsberg
commented
4 years ago https://stackoverflow.com/questions/40102110/can-i-use-grant-type-client-credentials-for-google-api confirms that Google Oauth only supports two types of Oauth grants:
I'm in no way an expert on these things. What I would like to accomplish is to have an external listener for my Kafka cluster with authentication against Google Oauth, used only to provide developer access from workstations, with developers authenticating using their regular Gsuite accounts.
Fully understand that nobody has tried this. Will experiment a bit if I find the time.
forsberg
commented
4 years ago @vperi1730 - perhaps https://github.com/strimzi/strimzi-kafka-oauth#configuring-the-oauth2-1 can be of help? It specifically mentions ways to do password authentication, although I don't know if that's your use case.
flecno
commented
3 years ago Google has full support to use OIDC ID tokens in server-to-server use cases to authenticate the identity of a service account. I could run a test locally the auth flow with access token where broker performing fast local validation.
apiVersion: kafka.strimzi.io/v1beta1
kind: Kafka
metadata:
name: my-cluster
spec:
kafka:
version: 2.6.0
replicas: 1
listeners:
- name: external
port: 9094
type: nodeport
authentication:
type: oauth
validIssuerUri: "https://accounts.google.com"
jwksEndpointUri: "https://www.googleapis.com/oauth2/v3/certs"
userNameClaim: email
# disable because JWT tokens get the "typ": "JWT"
checkAccessTokenType: false
For kafka clients use this config:
oauth.token.endpoint.uri=https://oauth2.googleapis.com/token
oauth.username.claim=email
oauth.access.token=$JWT_TOKENGenerate a ID token via cli:
gcloud auth activate-service-account --key-file=/path/to/svc_account.json
gcloud auth print-identity-token --audience=https://example.com
# impersonate an SA https://cloud.google.com/iam/docs/impersonating-service-accounts
gcloud auth print-identity-token --audiences=https://example.com --impersonate-service-account impersonated-account@projectID.iam.gserviceaccount.comor in java using google-auth-library-java
GoogleCredentials credentials = GoogleCredentials.getApplicationDefault();
ImpersonatedCredentials tokenProvider = ImpersonatedCredentials.create(credentials, "impersonated-account@projectID.iam.gserviceaccount.com",
null, Arrays.asList("https://www.googleapis.com/auth/cloud-platform"), 300);
IdTokenCredentials idToken = IdTokenCredentials.newBuilder()
.setIdTokenProvider((IdTokenProvider) tokenProvider)
.setTargetAudience("https://example.com")
.setOptions(Arrays.asList(IdTokenProvider.Option.INCLUDE_EMAIL))
.build();
idToken.refreshIfExpired();
String token = idToken.getIdToken().getTokenValue();
Hi Team,
I have launched a new Kafka cluster with the following tls configuration by enabling the authentication type as OAuth. primarily my client id and client secret are referring to the one's created inside the google OAuth API. This is the first time I am trying with this approach which is returning me an error related to SSLHandshake about the token.
I am looking out for any clue or input through which I can troubleshoot as I am unsure of the error.
Need some inputs here.