0.15.0-rc1
Pre-releaseMain Changes since 0.14.x
Added OAuth Client Assertion support
Allows clients to authenticate to authorization server by using client assertion as specified by rfc7523 and rfc7521.
The assertion can be provided by an external mechanism and available as a file on the file system or it can be explicitly set through OAuth configuration before running the Kafka client.
Introduced the following new configuration options:
oauth.client.assertion
oauth.client.assertion.location
oauth.client.assertion.type
Added support for clients to read access token and refresh token from a file when authenticating
Introduced the following new configuration options:
oauth.refresh.token.location
oauth.access.token.location
Added support for bearer token authentication when connecting to protected authorization server endpoints
This is used by broker when connecting to JWKS and Introspection endpoints. Added to support talking to the Kubernetes API server's JWKS endpoint.
Introduced the following new configuration options:
oauth.server.bearer.token
oauth.server.bearer.token.location
The authentication configuration rules for configuring the introspection endpoint have been relaxed.
Introspection endpoint can now be unprotected (no authentication configured on the listener) or it can be protected with
oauth.client.id
and oauth.client.secret
to send Basic
Authorization
header or with the oauth.server.bearer.token
or
oauth.server.bearer.token.location
when sending Bearer
Authorization
header.
JWKS endpoint can now also be protected in the same way.
Fixed NullPointerException that occurred when OAuthKafkaPrincipalBuilder was used with Kerberos authentication
Fixed a user id extraction bug where oauth.fallback.username.prefix
was ignored, and added oauth.username.prefix
A bug was introduced in 0.13.0 that resulted in oauth.fallback.username.prefix
being ignored. That should now be fixed.
A new configuration option was added: oauth.username.prefix
.
This allows for the consistent mapping of user ids into the same name space and may be needed to prevent name collisions.
Added support for SASL extension parameters
Added support for passing SASL extensions via OAuth configuration options, by using a prefix: oauth.sasl.extension.
If Kafka Broker uses some other custom OAUTHBEARER
implementation, it may require SASL extensions options to be sent by the Kafka client.
For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.15.0 milestone.
Staging repository
To test the release, use the staging repository by including following in your pom.xml
:
<repositories>
<repository>
<id>staging</id>
<url>https://oss.sonatype.org/content/repositories/iostrimzi-1208</url>
</repository>
</repositories>