kafka-python icon indicating copy to clipboard operation
kafka-python copied to clipboard
verified publisher icon dpkp

SASL OAuth TokenProvider does not refresh

Open 2phost opened this issue 4 years ago • 1 comments

Hi, In my environment, I have a Kafka cluster configured with Keycloak using OAUTH (SASL_PLAINTEXT). As such, I developed a TokenProvider that authenticates the user and refreshes the token when it is about to expired.

The problem is: you only get the token in the very beginning, meaning that after some time my tokenprovider have a new token (updated using a thread), but you never ask for it. So I get the following error:

kafka.errors.TopicAuthorizationFailedError: [Error 29] TopicAuthorizationFailedError:

I can see two possible solutions:

  1. Extract the expires_in from the jwt token and have a parameter to allows update the token X seconds before it expires.
  2. A simple parameter that allow us to set intervals to get new token, for example every 5 minutes.

In my opinion, I would go with the second and leave the first one to be implemented by the TokenProvider (update the token returned by TokenProvider before it expires, which I am already doing it). Moreover the second is easier to implement.

Best regards,

2phost avatar Feb 11 '21 16:02 2phost

There is no mechanism to update SASL authentication after initial connection. So I think what would have to happen here is the connection would have to be closed and reconnected so that a new token could be sent. Do you know if/how the java client manages this?

dpkp avatar Mar 27 '25 20:03 dpkp