feat: Add SASL/OAUTHTOKEN support #253
Conversation
einarmo
force-pushed
the
oauth-support
branch
2 times, most recently
from
bb76719 to
3a5e65e
Compare
|
Looks like audit is failing due to rust version. A simple fix would be to lock |
There was a problem hiding this comment.
Looks pretty good for the first round. Couple of smaller nitpicks. I've fixed the CI in #254, so if you rebase this branch, you should be fine.
src/messenger.rs
Outdated
| #[error("Other SASL error: {0}")] | ||
| Other(String), |
There was a problem hiding this comment.
I guess you've introduced this variant so that you have a catch-all version for the callback? I'm wondering if the callback should even use SaslError in the first place or if it should rather return Box<dyn std::error::Error + Send + Sync> and you convert this to a SaslError variant like
#[derive(Error, Debug)]
pub enum SaslError {
// ...
#[error("OAuth Callback: {0}")]
OauthCallback(Box<dyn std::error::Error + Send + Sync>),
// ...
}There was a problem hiding this comment.
That's probably a good idea. I'll change it 👍
src/connection/transport/sasl.rs
Outdated
| )?), | ||
| Self::Oauthbearer(credentials) => { | ||
| // Fetch the token first, since that's an async call. | ||
| // The user can and should cache the token as appropriate to their OAUTH provider. |
There was a problem hiding this comment.
// The user can and should cache the token as appropriate to their OAUTH provider.Could you move this particular note into the docstring for OauthCallback? I think this is important for the user.
einarmo
force-pushed
the
oauth-support
branch
2 times, most recently
from
6239627 to
4c6ad64
Compare
This was a bug in the existing implementation that sometimes caused issues, but that some kafka brokers appear to tolerate.
|
I added a second commit, since I ran into a bug in the existing SASL implementation. It seems like I changed the code there a bit to account for this, I really don't understand how this could work at all, it should have completely broken PLAIN auth. |
me neither, but if it works now it works 🤷 |
Closes #252.
This adds
SASL/OAUTHBEARERsupport to the client.Since
SaslConfigno longer always containsCredentialsI did some minor refactoring and moved the rsaslSASLConfigbuilding into a separate method onSaslConfig. There is no convenient method for doing Oauth, so we have to implement an rsasl callback for providing a bearer token.I've chosen the token callback to be asynchronous, since users of this library are likely to use an asynchronous HTTP library, or other OAUTH mechanism, and mixing sync and async is a very bad idea.
One thing I have not done is write any tests, mostly since writing an actual integration test supporting this would be very complicated. Since I have now done some of that myself I have a vague idea of what would be needed:
You would need an IDP, we used Azure AD, but you could make that self contained using Keycloak or similar, though configuring that as part of tests is also non-trivial.
You would need some form of Oauth plugin, which I believe isn't part of the docker image you use in tests (not entirely sure about that, we use the
strimziimage).I've read the contributing section of the project CONTRIBUTING.md.
Signed CLA (if not already signed).