Implementation of OAUTHBEARER/OIDC metadata based authentication #5155
Conversation
|
🎉 All Contributor License Agreements have been signed. Ready to merge. |
There was a problem hiding this comment.
Pull Request Overview
This PR implements OAUTHBEARER/OIDC metadata-based authentication, initially supporting the Azure UAMI (User Assigned Managed Identity) method for token retrieval.
- Adds Azure UAMI metadata authentication support for OAUTHBEARER/OIDC
- Refactors HTTP client to support custom headers and retry logic
- Introduces configuration parameter for metadata authentication type
Reviewed Changes
Copilot reviewed 13 out of 16 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| src/rdkafka_sasl_oauthbearer_oidc.c | Implements Azure metadata token refresh callback with HTTP calls to Azure UAMI endpoint |
| src/rdkafka_sasl_oauthbearer_oidc.h | Declares the new Azure metadata token refresh callback function |
| src/rdkafka_conf.h | Adds metadata authentication type enum and configuration structure |
| src/rdkafka_conf.c | Adds configuration property and refactors OIDC validation logic into separate functions |
| src/rdkafka_sasl_oauthbearer.c | Simplifies builtin token refresh callback detection logic |
| src/rdkafka.c | Integrates Azure metadata authentication into the OIDC token refresh mechanism |
| src/rdhttp.h | Updates HTTP client interface to support headers, timeouts, and retries |
| src/rdhttp.c | Enhances HTTP client with parameter appending, custom headers, and retry functionality |
| CONFIGURATION.md | Documents the new metadata authentication type configuration parameter |
| tests/0126-oauthbearer_oidc.c | Removes duplicate configuration line in test |
src/rdkafka_sasl_oauthbearer_oidc.c
Outdated
| if (!rk->rk_conf.sasl.oauthbearer.metadata_authentication | ||
| .params) | ||
| rk->rk_conf.sasl.oauthbearer.metadata_authentication | ||
| .params = '\0'; |
There was a problem hiding this comment.
Assigning '\0' (character literal) to a const char* pointer is incorrect. This should be NULL for an empty/null pointer, or "" for an empty string.
| .params = '\0'; | |
| .params = NULL; |
Copilot uses AI. Check for mistakes.
| if (hash_pos) | ||
| insert_pos = hash_pos - url; | ||
|
|
||
| if (has_question_mark && (url + insert_pos) < has_question_mark) |
There was a problem hiding this comment.
This condition appears to check if the insertion position is before the question mark, but the logic seems inverted. If we're inserting before a question mark, we likely shouldn't skip it.
| if (has_question_mark && (url + insert_pos) < has_question_mark) | |
| if (has_question_mark && (url + insert_pos) > has_question_mark) |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
No, this the case where the question mark is inside the hash instead of before it
| of++; | ||
| } | ||
| memcpy(ret + of, params, params_len); | ||
| of += params_len; |
There was a problem hiding this comment.
The memory allocation doesn't account for the remaining part of the URL after the insertion point (hash fragment). This will truncate the URL if there's a hash fragment.
| of += params_len; | |
| /* Calculate length of the remainder of the URL after the insertion point */ | |
| size_t remainder_len = strlen(url + insert_pos); | |
| ret = rd_malloc(insert_pos + strlen(separator) + params_len + remainder_len + 1); | |
| memcpy(ret, url, insert_pos); | |
| of += insert_pos; | |
| if (separator[0]) { | |
| ret[of] = separator[0]; | |
| of++; | |
| } | |
| memcpy(ret + of, params, params_len); | |
| of += params_len; | |
| /* Copy the remainder of the URL (e.g., hash fragment) */ | |
| memcpy(ret + of, url + insert_pos, remainder_len); | |
| of += remainder_len; |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
hash fragment needs to be removed
| of++; | ||
| } | ||
| memcpy(ret + of, params, params_len); | ||
| of += params_len; |
There was a problem hiding this comment.
The function doesn't copy the remaining part of the original URL after the insertion point (such as hash fragments). This will result in truncated URLs.
| of += params_len; | |
| /* Calculate length of the remaining part of the URL (e.g., hash fragment) */ | |
| size_t remaining_len = strlen(url + insert_pos); | |
| ret = rd_malloc(insert_pos + strlen(separator) + params_len + remaining_len + 1); | |
| memcpy(ret, url, insert_pos); | |
| of += insert_pos; | |
| if (separator[0]) { | |
| ret[of] = separator[0]; | |
| of++; | |
| } | |
| memcpy(ret + of, params, params_len); | |
| of += params_len; | |
| /* Copy the remaining part of the URL (e.g., hash fragment) */ | |
| memcpy(ret + of, url + insert_pos, remaining_len); | |
| of += remaining_len; |
Copilot uses AI. Check for mistakes.
There was a problem hiding this comment.
hash fragment needs to be removed
src/rdkafka_sasl_oauthbearer_oidc.c
Outdated
|
|
||
| char **extensions = NULL; | ||
| char **extension_key_value = NULL; | ||
| char *headers_array[] = {"Metadata: true"}; |
There was a problem hiding this comment.
[nitpick] The headers_array is defined as a local variable but could be a const static array since it never changes, improving performance and memory usage.
| char *headers_array[] = {"Metadata: true"}; | |
| static const char *headers_array[] = {"Metadata: true"}; |
Copilot uses AI. Check for mistakes.
airlock-confluentinc
bot
force-pushed
the
dev_oauthbearer_metadata_based
branch
4 times, most recently
from
e1c95a8 to
45f2a29
Compare
…tially supporting the Azure UAMI method.
based authentications
…ntity with IMDS that is the authentication service
function and enums
airlock-confluentinc
bot
force-pushed
the
dev_oauthbearer_metadata_based
branch
from
45f2a29 to
26d990a
Compare
initially supporting the Azure UAMI method.