Add OAUTHBEARER/OIDC support #53
Conversation
Add OAUTHBEARER / OpenID Connect (OIDC) support as described in [KIP-768]. This is the authentication mechanism used by the GCN/TACH Kafka broker. Depends on astronomy-commons/adc-streaming#53.
Add OAUTHBEARER / OpenID Connect (OIDC) support as described in [KIP-768]. This is the authentication mechanism used by the GCN/TACH Kafka broker. Depends on astronomy-commons/adc-streaming#53.
Add OAUTHBEARER / OpenID Connect (OIDC) support as described in [KIP-768]. This is the authentication mechanism used by the GCN/TACH Kafka broker. Depends on astronomy-commons/adc-streaming#53.
|
I'm having a bit of a tough time testing this. I've been able to set up a local broker which allows unsecured OAUTHBEARER mechanism, but this patch and the new OIDC method appears not to actually be compatible with that, and I'm not sure what it will take to run a broker with full OIDC. Aside from that, I had a lot of trouble with getting a new enough version of librdkafka to support this. As far as I can tell, this is not yet in the latest release (1.8.2). I got it working (to the point that my client can try to use it) by building the current trunk of librdkafka, but we certainly can't expect hopskotch users (or other consumers of adc-streaming if there are any) to do that typically. Am I missing something here? |
|
Correct. These features are in Apache Kafka 3.1.0 (recently released) but they are still just in master for librdkafka and should debut in version 1.9.0 which will be released any day now. I agree with you, and I don't advocate pushing a release of adc-streaming with this in it until it's fully supported upstream in releases of librdkafka and confluent-kaka-python. But hopefully you're OK with getting most of the code review done in advance? For the very near term, you can test using development wheels that I have built: |
|
Okay, I agree that we can definitely do the review before that release happens. In, fact, if we can check librdkafka's I have to build the dependencies from source anyway, since the wheels are broken on older Mac OS versions (the widely observed I will try setting up full OIDC auth in Kafka, since I would really like to do the due-diligence of running this successfully myself, but if push comes to shove if you've been able to run it against some broker, that shouldn't hold up accepting the PR. |
librdkafka uses Magnus Edenhill's own trivup for bringing up test Kafka brokers. I think it already has OIDC support. I certainly have been able to run this against our broker. To test it, you are going to need not just a Kafka broker but also an OIDC provider. |
|
SCiMMA already has an OIDC provider (COmanage) through which I can provision clients as needed, so that's not an obstacle. However, it does look like trivup has support, so if nothing else I may be able to learn from it how to do the configuration correctly. |
Here are the relevant parts of our Kafka broker configuration. (Note that we are using |
There isn't, but we can check |
|
Indeed, there's no reason to complain if the user doesn't happen to touch on this feature by actually requesting to make a connection using it. |
OK, done. Please review. |
Add OAUTHBEARER / OpenID Connect (OIDC) support as described in [KIP-768]. This is the authentication mechanism used by the GCN/TACH Kafka broker. * The `SASLMethod` enum gets a new member, `OAUTHBEARER`. * The `SASLAuth` constructor gets a new optional keyword argument, `token_endpoint`. * The presence of the `token_endpoint` keyword argument causes the default SASL method to change to `OAUTHBEARER` and the oauthbearer method to change to `oidc`, because this option is required for OpenID Connect and ignored for all other auth methods. * In OIDC mode, the `username` and `password` positional arguments are interpreted as the client ID and client secret. [KIP-768]: https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575
This reverts commit 2dbb9ce.
|
@cnweaver, since upstream is taking longer than I expected to do a release of librdkafka, I wrote a pure Python implementation of the OIDC auth that will work with the current stable release of confluent-kafka-python. Please take a look. |
|
Thank you! When do you anticipate doing a release? |
|
This morning was my plan. |
|
Hold off a bit please. This was working yesterday but I am having some problems with it. |
|
I already made https://github.com/astronomy-commons/adc-streaming/releases/tag/v2.1.0 , but I do not have the capability to publish to PyPI or Conda, so it isn't yet on those. If necessary we can make a 2.1.1 patch release. I did have to add a fix yesterday; if what you're seeing is a |
|
No, I'm hitting some obscure bug in librdkafka: confluentinc/librdkafka#3263 (comment). I think that the reason that I missed this is that I tested the callback itself but not the |
|
Code: #!/usr/bin/env python
import logging
logging.basicConfig(level=logging.DEBUG)
from confluent_kafka import Consumer, Producer
from uuid import uuid4
from pprint import pprint
def set_oauth_cb(config):
"""Implement client support for KIP-768 OpenID Connect.
Apache Kafka 3.1.0 supports authentication using OpenID Client Credentials.
Native support for Python is coming in the next release of librdkafka
(version 1.9.0). Meanwhile, this is a pure Python implementation of the
refresh token callback.
"""
if config.pop('sasl.oauthbearer.method', None) != 'oidc':
return
client_id = config.pop('sasl.oauthbearer.client.id')
client_secret = config.pop('sasl.oauthbearer.client.secret')
scope = config.pop('sasl.oauthbearer.scope', None)
token_endpoint = config.pop('sasl.oauthbearer.token.endpoint.url')
from authlib.integrations.requests_client import OAuth2Session
session = OAuth2Session(client_id, client_secret, scope=scope)
def oauth_cb(*_, **__):
token = session.fetch_token(
token_endpoint, grant_type='client_credentials')
return token['access_token'], token['expires_at']
config['oauth_cb'] = oauth_cb
# Fill in client credentials here
config = {
'bootstrap.servers': '...',
'security.protocol': 'sasl_ssl',
'sasl.mechanisms': 'OAUTHBEARER',
'sasl.oauthbearer.method': 'oidc',
'sasl.oauthbearer.client.id': '...',
'sasl.oauthbearer.client.secret': '...',
'sasl.oauthbearer.token.endpoint.url': '...',
'group.id': str(uuid4()),
'log_level': 7
}
set_oauth_cb(config)
consumer = Consumer(config)
consumer.subscribe(['foobar'])
for message in consumer.consume():
print(message.value())Output: |
|
FYI, this is reportedly fixed in librdkafka master, to be included in the next release. confluentinc/librdkafka#3263 (comment) |
Add OAUTHBEARER / OpenID Connect (OIDC) support as described in [KIP-768]. This is the authentication mechanism used by the GCN/TACH Kafka broker. Depends on astronomy-commons/adc-streaming#53.
Add OAUTHBEARER / OpenID Connect (OIDC) support as described in [KIP-768]. This is the authentication mechanism used by the GCN/TACH Kafka broker. Depends on astronomy-commons/adc-streaming#53.
Add OAUTHBEARER / OpenID Connect (OIDC) support as described in [KIP-768]. This is the authentication mechanism used by the GCN/TACH Kafka broker. Depends on astronomy-commons/adc-streaming#53.
Add OAUTHBEARER / OpenID Connect (OIDC) support as described in KIP-768. This is the authentication mechanism used by the GCN/TACH Kafka broker.
SASLMethodenum gets a new member,OAUTHBEARER.SASLAuthconstructor gets a new optional keyword argument,token_endpoint.token_endpointkeyword argument causes the default SASL method to change toOAUTHBEARERand the oauthbearer method to change tooidc, because this option is required for OpenID Connect and ignored for all other auth methods.usernameandpasswordpositional arguments are interpreted as the client ID and client secret.