Add support for different claims for authentication#5336
Merged
pranav shah (prashah-confluent) merged 21 commits intomasterfrom Mar 16, 2026
Merged
Add support for different claims for authentication#5336pranav shah (prashah-confluent) merged 21 commits intomasterfrom
pranav shah (prashah-confluent) merged 21 commits intomasterfrom
Conversation
|
🎉 All Contributor License Agreements have been signed. Ready to merge. |
pranav shah (prashah-confluent)
requested a review
from Emanuele Sabellico (emasab)
Emanuele Sabellico (emasab)
requested changes
Mar 12, 2026
Contributor
Emanuele Sabellico (emasab)
left a comment
Emanuele Sabellico (emasab)
left a comment
There was a problem hiding this comment.
Thanks Pranav! This is my feedback:
Emanuele Sabellico (emasab)
approved these changes
Mar 16, 2026
Contributor
Emanuele Sabellico (emasab)
left a comment
Emanuele Sabellico (emasab)
left a comment
There was a problem hiding this comment.
LGTM, Thanks pranav shah (@prashah-confluent) !
airlock-confluentinc Bot
pushed a commit
that referenced
this pull request
Apr 6, 2026
* Add documentation for new sub claim config * Add new config in rdkafka_conf * Modify logic based on subclaim name value * Add unit tests * Fix style format errors for the modified files * Add integration tests for sub claim name * Fix style check for 0126-oauthbearer_oidc * Add new trivup version 0.15.0 and update the dependency in requirements.txt * Remove redundant comments * Update Change log * Remove the link for PR as GH adds it automatically * Add validation for subclaim string configuration * Remove tests as preconditions will already be validated before * Function should fail agnostic of reason. Corrected the comment * Modify integration test to fail at configuration finalization * Fix comment for configuration.md consistency * Add back the default value for sub_claim_name configuration * Rebuilt CONFIGURATION.md and fix style check * Fix style check * Add unit tests for rd_kafka_conf_validate_str * Fix style check
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR description
Problem
For OIDC / SASL_OAUTHBEARER flows using librdkafka’s built‑in OIDC helper, we currently hard‑require that the JWT payload contain a sub claim. If the IdP omits sub or uses another claim (for example client_id) as the primary subject, librdkafka fails token acquisition with an error such as:
Failed to acquire SASL OAUTHBEARER token: Expected JSON JWT response with "sub" fieldFix
We have introduced a new config
sub_claim_nameusing which customers can provide a different claim. The claim value will be honored and used for client side validation.Note
Requires users to keep broker and client configs aligned for the subject claim name to avoid confusion and consistency.
Testing
Unit tests
To test the core JWT payload parsing and claim extraction logic inside rd_kafka_oidc_token_try_validate() in isolation (no broker, network, oidc server).
Default Configuration & Backward Compatibility
Implicit Default Behavior: Validate that when sub.claim.name is not provided, the system defaults to extracting the subject from the "sub" claim.
Legacy Parity: Ensure that existing JWTs containing only the "sub" claim continue to be processed correctly, maintaining no regressions for standard OIDC flows.
Explicit Claim Configuration (KIP-768 Parity)
Custom Claim Extraction: Verify that setting sub.claim.name (e.g., to client_id) successfully extracts the value from the specified field instead of the hardcoded "sub" key.
Configuration Precedence: Test that when both "sub" and a custom claim (e.g., "client_id") coexist in a JWT, the system honors the user-defined configuration over the OIDC default.
Error Handling & Validation Logic
Missing Claim Detection: Verify that providing a sub.claim.name that does not exist in the JWT triggers a specific "Claim not found" error, rather than failing on a hardcoded "sub".
Empty Value Rejection: Ensure the system rejects empty string subjects with a "non-empty value required" error, addressing previous bugs where empty strings passed silently.
Invalid Configuration Recovery: Validate that if sub.claim.name is set to an empty string, the system gracefully falls back to the OIDC default ("sub") to ensure continuous operation.
librdkafka & Java Client Alignment
Functional Parity: Ensure all scenarios are cross-validated against the Java KIP-768 implementation to guarantee identical extraction logic and exception triggers (e.g., ValidateException equivalents).
Integration tests
Design Doc