[QUESTION] Strimzi integration with OPENID (AWS Cognito OAuth)

[klalafaryan]

Hello everyone!

We are trying to integrate the strimzi with AWS cognito OAuth. And seems like strimzi doesn't support integration with JWT.

It expects to have the scope in the response. I have found following check in OAuthAuthenticator.java

        JsonNode scope = result.get("scope");
        if (scope == null) {
            throw new IllegalStateException("Invalid response from authorization server: no scope");
        }

We have following configuration in the strimzi kafka:

listeners: # Listeners configure how clients connect to the Kafka cluster
      plain: {} # 9092
      tls: {} # 9093
      external:
        type: loadbalancer
        tls: false
        authentication: # not yet tested
          type: oauth
          accessTokenIsJwt: true
          disableTlsHostnameVerification: true
          validIssuerUri: "{validIssuerUri}"
          jwksEndpointUri: "{jwksEndpointUri}"
          clientId: client_id
          clientSecret:
            secretName: oauth-client-secret
            key: secret
        overrides: # to be checked as the hostname doesn't seem to be applied
          bootstrap:
            dnsAnnotations:
              external-dns.alpha.kubernetes.io/hostname: kafka-bootstrap.int.test.io.
            address: kafka-bootstrap.int.test.io

and following configuration for the client:

System.setProperty(ClientConfig.OAUTH_TOKEN_ENDPOINT_URI, "https://kafka.auth.test.io/oauth2/token");
System.setProperty(ClientConfig.OAUTH_CLIENT_ID, "client-id");
System.setProperty(ClientConfig.OAUTH_CLIENT_SECRET, "client-secret");
properties.put("sasl.jaas.config", "org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;");
properties.put("security.protocol", "SASL_PLAINTEXT");
properties.put("sasl.mechanism", "OAUTHBEARER");
properties.put("sasl.login.callback.handler.class", "io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler");

Could you please give some directions ?

Any help is appreciated.

Thanks!

[mstruk]

@klalafaryan Could you paste a full stacktrace? It seems that your issue is on the client side, not on the Strimzi side.

To get more logging, enable io.strimzi DEBUG level logging.

For the broker specify the following in your Strimzi Kafka custom resource:

spec:
  kafka:
    logging:
      type: inline
      loggers:
        log4j.logger.io.strimzi: "DEBUG"

[klalafaryan]

@mstruk Thanks for your quick reply.
I will change the loge level to DEBUG to get more insights.

We are using the AWS Cognito client_credentials grant type (OAUTH2 authentication) and the response we get doesn't contain the scope parameter. For example:

{
    "access_token": "{JWT_TOKEN}",
    "expires_in": 3600,
    "token_type": "Bearer"
}

And in io.strimzi.kafka.oauth.common.OAuthAuthenticator.java we can see that the scope is required therefore we are getting IllegalStateException.

JsonNode scope = result.get("scope");
        if (scope == null) {
            throw new IllegalStateException("Invalid response from authorization server: no scope");
        }

Seems like from OAuth specification the scope parameter is optional.

Is this a mandatory requirement for strimzi to have the scope parameter in the response ?

[mstruk]

It currently is a required parameter. Looks like we'll have to relax that to support a wider set of OAuth2 authorization servers.

[klalafaryan]

@mstruk Thanks for the feedback.
I have created a PR which makes the scope property optional.

#30 Can you please have a look ?

We are trying to deploy strimzi with AWS Cognito, and this is something which blocks us. Is it possible to make a hotfix/release ?

[mstruk]

@klalafaryan There's Strimzi release in the making, and we're already a little late with it, so it probably won't make it. But you can build your own, with this patch included.

If you follow strimzi-kafka-operator/HACKING.md it should give you enough information to pull that off.

But if you have some problems, let me know.

[scholzj]

Closing this issue as it should be resolved by #30