堆栈内存溢出
  简体   繁体   English

如何将 librdkafka 与 OIDC 和 Azure AD 一起用作 OAUTHBEARER 的令牌提供者?

[英]How to use librdkafka with OIDC and Azure AD as token provider for OAUTHBEARER?

 原文  2022-12-01 14:29:09       c++/ azure/ oauth-2.0/ openid-connect/ librdkafka

问题描述

Problem问题

I want to use Kafka OIDC with Azure AD as a token provider, but I'm stuck on some strange errors.我想使用带有 Azure AD 的 Kafka OIDC 作为令牌提供者,但我遇到了一些奇怪的错误。

I have read many azure docs pages and tried their examples from https://github.com/Azure/azure-event-hubs-for-kafka - all those worked for me when I tested with python and C++. Including oauth(which uses Azure AD) examples listed in https://github.com/Azure/azure-event-hubs-for-kafka/tree/master/tutorials/oauth/python我已经阅读了许多 azure 文档页面并尝试了来自https://github.com/Azure/azure-event-hubs-for-kafka的示例 - 当我使用 python 和 C++ 进行测试时,所有这些都对我有用。包括 oauth(使用Azure AD) https 中列出的示例://github.com/Azure/azure-event-hubs-for-kafka/tree/master/tutorials/oauth/python

Errors错误

When I attempted to use the credentials from the registered app's webpage following the https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc and using the v2 endpoint, I ended up with ERROR|rdkafka#producer-1| [thrd:app]: rdkafka#producer-1: sasl_ssl://myhub.servicebus.windows.net:9093/bootstrap: SASL authentication error: Invalid URI: The format of the URI could not be determined. (after 272ms in state AUTH_REQ)当我尝试在https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc之后使用已注册应用程序网页中的凭据并使用 v2 端点时,我结束了ERROR|rdkafka#producer-1| [thrd:app]: rdkafka#producer-1: sasl_ssl://myhub.servicebus.windows.net:9093/bootstrap: SASL authentication error: Invalid URI: The format of the URI could not be determined. (after 272ms in state AUTH_REQ) ERROR|rdkafka#producer-1| [thrd:app]: rdkafka#producer-1: sasl_ssl://myhub.servicebus.windows.net:9093/bootstrap: SASL authentication error: Invalid URI: The format of the URI could not be determined. (after 272ms in state AUTH_REQ) ERROR|rdkafka#producer-1| [thrd:app]: rdkafka#producer-1: sasl_ssl://myhub.servicebus.windows.net:9093/bootstrap: SASL authentication error: Invalid URI: The format of the URI could not be determined. (after 272ms in state AUTH_REQ) . ERROR|rdkafka#producer-1| [thrd:app]: rdkafka#producer-1: sasl_ssl://myhub.servicebus.windows.net:9093/bootstrap: SASL authentication error: Invalid URI: The format of the URI could not be determined. (after 272ms in state AUTH_REQ) For the v1 without the scope, the error is similar - FAIL|rdkafka#producer-1| [thrd:sasl_ssl://myhub.servicebus.windows.net:9093/bootstrap]: sasl_ssl://myhub.servicebus.windows.net:9093/bootstrap: SASL authentication error: Invalid URI: The format of the URI could not be determined. (after 259ms in state AUTH_REQ).对于没有 scope 的 v1,错误类似 - FAIL|rdkafka#producer-1| [thrd:sasl_ssl://myhub.servicebus.windows.net:9093/bootstrap]: sasl_ssl://myhub.servicebus.windows.net:9093/bootstrap: SASL authentication error: Invalid URI: The format of the URI could not be determined. (after 259ms in state AUTH_REQ). FAIL|rdkafka#producer-1| [thrd:sasl_ssl://myhub.servicebus.windows.net:9093/bootstrap]: sasl_ssl://myhub.servicebus.windows.net:9093/bootstrap: SASL authentication error: Invalid URI: The format of the URI could not be determined. (after 259ms in state AUTH_REQ).

Setup设置

Again, all the existing examples I tested work for me, but none of those uses OIDC.同样,我测试的所有现有示例都对我有用,但没有一个使用 OIDC。 The configuration I'm using is below - what should I use in sasl.oauthbearer.token.endpoint.url , sasl.oauthbearer.config to make this work?我正在使用的配置如下 - 我应该在sasl.oauthbearer.token.endpoint.urlsasl.oauthbearer.config中使用什么来完成这项工作?

    conf->set("bootstrap.servers", "myhub.servicebus.windows.net:9093", errstr);
    conf->set("security.protocol", "SASL_SSL", errstr);
    conf->set("sasl.mechanism", "OAUTHBEARER", errstr);
    conf->set("sasl.oauthbearer.method", "oidc", errstr);
    conf->set("sasl.oauthbearer.client.id", "***", errstr);
    conf->set("sasl.oauthbearer.client.secret", "***", errstr);
    conf->set("sasl.oauthbearer.token.endpoint.url", "https://login.microsoftonline.com/***/oauth2/v2.0/token", errstr);
    conf->set("sasl.oauthbearer.scope", "api://***/.default", errstr);

Links链接

Confluent Kafka OIDC - https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575融合 Kafka OIDC - https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575

C++ librdkafka OIDC - https://github.com/edenhill/librdkafka/blob/b871fdabab84b2ea1be3866a2ded4def7e31b006/src/rdkafka_sasl_oauthbearer_oidc.c#L242 C++ librdkafka OIDC - https://github.com/edenhill/librdkafka/blob/b871fdabab84b2ea1be3866a2ded4def7e31b006/src/rdkafka_sasl_oauthbearer_oidc.c#L242

Github issues question - https://github.com/Azure/azure-event-hubs-for-kafka/issues/223 Github 问题 - https://github.com/Azure/azure-event-hubs-for-kafka/issues/223

Edited:编辑:

Further debugging with debug=all revealed that OAUTHBEARER token is received while the app fails on SASL Authentication Sequence.使用 debug=all 进一步调试显示,当应用程序在 SASL 身份验证序列上失败时,收到了 OAUTHBEARER 令牌。

SASL OAUTHBEARER client in state client-first-message
Send SASL Kafka frame to broker
Sent SaslAuthenticateRequest

Received SaslAuthenticateResponse
Invalid URI: The format of the URI could not be determined.

1 个解决方案

解决方案1
 0 已采纳  2022-12-09 21:41:01

Okay, Azure responded that Kafka OIDC isn't tested on their side and may not be supported by the broker.好的,Azure 回复说Kafka OIDC 没有在他们这边测试过,可能broker 不支持。

But I tested that it works with Kafka OIDC - I will contribute with the examples to their repo soon.但我测试过它可以与 Kafka OIDC 一起使用——我将很快为他们的 repo 贡献示例。

The problem was using scope for the registered app( api://{app-id}/.default ) vs scope for the namespace( https://myhub.servicebus.windows.net/.default ) - latter one is correct.问题是将 scope 用于已注册的应用程序( api://{app-id}/.default )与将 scope 用于命名空间( https://myhub.servicebus.windows.net/.default ) - 后一个是正确的。

That, in turn, led to receiving the incorrect token-type and Invalid URI format - what really helped here was example from the confluent-kafka with no azure dependencies involved https://github.com/confluentinc/confluent-kafka-python/blob/master/examples/oauth_producer.py反过来,这导致接收到不正确的令牌类型和无效的 URI 格式——真正有用的是来自 confluent-kafka 的示例,没有涉及 azure 依赖关系https://github.com/confluentinc/confluent-kafka-python/blob/master/examples/oauth_producer.py

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用 librdkafka 更改正在运行的 kafka 主题的保留时间 - How to use librdkafka to change retention time for the running kafka topic 如何在 librdkafka 中使用“group.id”? (卡夫卡版本是“0.8.2.2”) - How can I use "group.id" in librdkafka? (kafka version is "0.8.2.2") 如何在Windows上的C ++代码中使用librdkafka中的KAFKA生产者API - How to use KAFKA's producer API in librdkafka with c++ code on windows 如何使用 CMakeList.txt 链接 librdkafka - How to link librdkafka using CMakeList.txt 如何为广告组使用AllocateAndInitializeSid? - How to use AllocateAndInitializeSid for an AD group? 在C ++项目(VS2013)中使用librdkafka - Use librdkafka in a C++ project (VS2013) 如何使用 librdkafka C++ 客户端添加拦截器? - How to add a interceptor using librdkafka C++ client? 如何在 librdkafka 中正确重新发送失败的消息? - how to re-send a failed message properly in librdkafka? 如何正确使用Qt QML图像提供程序 - How to correctly use Qt QML Image Provider librdkafka程序退出没有错误 - librdkafka Program Quits with No Error
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM