added support for azure workload identity PoC

Author: spike83

build.gradle

@@ -10,10 +10,11 @@ repositories {
 }
 
 dependencies {
-    implementation group: 'org.apache.kafka', name: 'kafka-clients', version: '3.6.1'
+    implementation group: 'org.apache.kafka', name: 'kafka-clients', version: '3.7.0'
     implementation 'com.fasterxml.jackson.core:jackson-databind:2.14.2'
-    implementation 'org.bitbucket.b_c:jose4j:0.9.3'
+    implementation 'org.bitbucket.b_c:jose4j:0.9.6'
     implementation 'org.slf4j:slf4j-api:1.7.36'
+    implementation 'com.azure:azure-identity:1.12.0'
     testImplementation 'org.junit.jupiter:junit-jupiter-api:5.8.1'
     testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.8.1'
 }

src/main/java/io/confluent/oauth/HttpAccessTokenRetriever.java

@@ -21,6 +21,9 @@
 
 package io.confluent.oauth;
 
+import com.azure.core.credential.AccessToken;
+import com.azure.core.credential.TokenCredential;
+import com.azure.core.credential.TokenRequestContext;
 import com.fasterxml.jackson.databind.JsonNode;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import java.io.ByteArrayInputStream;
@@ -42,6 +45,11 @@
 import java.util.concurrent.ExecutionException;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLSocketFactory;
+import com.azure.core.credential.AccessToken;
+import com.azure.core.credential.TokenCredential;
+import com.azure.core.credential.TokenRequestContext;
+import io.confluent.oauth.azure.managedidentity.utils.WorkloadIdentityUtils;
+import io.confluent.oauth.azure.managedidentity.utils.WorkloadIdentityUtils;
 import org.apache.kafka.common.KafkaException;
 
 
@@ -122,6 +130,8 @@ public class HttpAccessTokenRetriever implements AccessTokenRetriever {
 
     private final Map<String, String> headers = new HashMap<>();
 
+    private final boolean useWorkloadIdentity;
+
     public HttpAccessTokenRetriever(String clientId,
         String clientSecret,
         String scope,
@@ -131,9 +141,11 @@ public HttpAccessTokenRetriever(String clientId,
         long loginRetryBackoffMaxMs,
         Integer loginConnectTimeoutMs,
         Integer loginReadTimeoutMs,
-        String requestMethod) {
+        String requestMethod,
+        boolean useWorkloadIdentity) {
         this.clientId = Objects.requireNonNull(clientId);
         this.clientSecret = Objects.requireNonNull(clientSecret);
+        this.useWorkloadIdentity = useWorkloadIdentity;
         this.scope = scope;
         this.sslSocketFactory = sslSocketFactory;
         this.tokenEndpointUrl = Objects.requireNonNull(tokenEndpointUrl);
@@ -161,6 +173,17 @@ public HttpAccessTokenRetriever(String clientId,
 
     @Override
     public String retrieve() throws IOException {
+        // TODO: should we use the AZURE_FEDERATED_TOKEN_FILE variable to enable workload identity? And AZURE_AUTHORITY_HOST to use for the endpoint url?
+        if (this.useWorkloadIdentity){
+            log.debug("using workload identity to get token");
+            // AccessToken https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/core/azure-core/src/main/java/com/azure/core/credential/AccessToken.java
+            TokenCredential workloadIdentityCredential = WorkloadIdentityUtils.createWorkloadIdentityCredentialFromEnvironment();
+            TokenRequestContext tokenRequestContext = WorkloadIdentityUtils.createTokenRequestContextFromEnvironment(scope);
+            AccessToken azureIdentityAccessToken = workloadIdentityCredential.getTokenSync(tokenRequestContext);
+            log.trace("useWorkloadIdentity token, got token from AzureAD: '{}'", azureIdentityAccessToken.getToken());
+            return azureIdentityAccessToken.getToken();
+        }
+
         String authorizationHeader = formatAuthorizationHeader(clientId, clientSecret);
         String requestBody = requestMethod == "GET" ? null : formatRequestBody(scope);
         Retry<String> retry = new Retry<>(loginRetryBackoffMs, loginRetryBackoffMaxMs);

src/main/java/io/confluent/oauth/azure/managedidentity/OAuthBearerLoginCallbackHandler.java

@@ -167,6 +167,7 @@ public class OAuthBearerLoginCallbackHandler implements AuthenticateCallbackHand
     public static final String CLIENT_ID_CONFIG = "clientId";
     public static final String CLIENT_SECRET_CONFIG = "clientSecret";
     public static final String SCOPE_CONFIG = "scope";
+    public static final String USE_WORKLOAD_IDENTITY_CONFIG = "useWorkloadIdentity";
 
     public static final String CLIENT_ID_DOC = "The OAuth/OIDC identity provider-issued " +
         "client ID to uniquely identify the service account to use for authentication for " +
@@ -182,9 +183,15 @@ public class OAuthBearerLoginCallbackHandler implements AuthenticateCallbackHand
         "clientcredentials grant type.";
 
     public static final String SCOPE_DOC = "The (optional) HTTP/HTTPS login request to the " +
-        "token endpoint (" + SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL + ") may need to specify an " +
-        "OAuth \"scope\". If so, the " + SCOPE_CONFIG + " is used to provide the value to " +
-        "include with the login request.";
+            "token endpoint (" + SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL + ") may need to specify an " +
+            "OAuth \"scope\". If so, the " + SCOPE_CONFIG + " is used to provide the value to " +
+            "include with the login request.";
+
+
+    public static final String USE_WORKLOAD_IDENTITY_DOC = "The (optional) HTTP/HTTPS login request to the " +
+            "token endpoint (" + SASL_OAUTHBEARER_TOKEN_ENDPOINT_URL + ") may need to specify an " +
+            "'Authorization' header of the Workload Identity. If so, the " + USE_WORKLOAD_IDENTITY_CONFIG +
+            " must be set to true";
 
     private static final String EXTENSION_PREFIX = "extension_";
 
@@ -231,6 +238,7 @@ protected AccessTokenRetriever createAccessTokenRetriever(Map<String, ?> configs
         final String clientId = jou.validateString(CLIENT_ID_CONFIG);
         final String clientSecret = jou.validateString(CLIENT_SECRET_CONFIG);
         final String scope = jou.validateString(SCOPE_CONFIG, false);
+        final boolean useWorkloadIdentity = jou.validateString(USE_WORKLOAD_IDENTITY_CONFIG).equalsIgnoreCase("true");
 
         SSLSocketFactory sslSocketFactory = null;
 
@@ -246,7 +254,8 @@ protected AccessTokenRetriever createAccessTokenRetriever(Map<String, ?> configs
                 cu.validateLong(SASL_LOGIN_RETRY_BACKOFF_MAX_MS),
                 cu.validateInteger(SASL_LOGIN_CONNECT_TIMEOUT_MS, false),
                 cu.validateInteger(SASL_LOGIN_READ_TIMEOUT_MS, false),
-                "GET");
+                "GET",
+                useWorkloadIdentity);
 
         httpAccessTokenRetriever.getHeaders().put("Metadata", "true");
         return httpAccessTokenRetriever;

src/main/java/io/confluent/oauth/azure/managedidentity/utils/WorkloadIdentityKafkaClientOAuthBearerAuthenticationException.java

@@ -0,0 +1,28 @@
+/*
+MIT License
+
+Copyright (c) 2023 Nikolai Seip
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+This file was copied from https://github.com/nniikkoollaaii/workload-identity-kafka-sasl-oauthbearer/blob/main/src/main/java/io/github/nniikkoollaaii/kafka/workload_identity/WorkloadIdentityKafkaClientOAuthBearerAuthenticationException.java
+ */
+package io.confluent.oauth.azure.managedidentity.utils;
+
+/**
+ * Custom runtime exception to signal errors when using Workload Identity to fetch a token from AzureAD.
+ */
+public class WorkloadIdentityKafkaClientOAuthBearerAuthenticationException extends RuntimeException {
+
+    public WorkloadIdentityKafkaClientOAuthBearerAuthenticationException(String message) {
+        super(message);
+    }
+}

src/main/java/io/confluent/oauth/azure/managedidentity/utils/WorkloadIdentityUtils.java

@@ -0,0 +1,97 @@
+/*
+MIT License
+
+Copyright (c) 2023 Nikolai Seip
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+This file was copied from https://github.com/nniikkoollaaii/workload-identity-kafka-sasl-oauthbearer/blob/main/src/main/java/io/github/nniikkoollaaii/kafka/workload_identity/WorkloadIdentityUtils.java
+ */
+package io.confluent.oauth.azure.managedidentity.utils;
+
+import com.azure.core.credential.TokenRequestContext;
+import com.azure.identity.WorkloadIdentityCredential;
+import com.azure.identity.WorkloadIdentityCredentialBuilder;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+public class WorkloadIdentityUtils {
+
+        private static final Logger log = LoggerFactory.getLogger(WorkloadIdentityUtils.class);
+
+
+        // ENV vars set by AzureAD Workload Identity Mutating Admission Webhook: https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html
+        public static final String AZURE_AD_WORKLOAD_IDENTITY_MUTATING_ADMISSION_WEBHOOK_ENV_FEDERATED_TOKEN_FILE = "AZURE_FEDERATED_TOKEN_FILE";
+        public static final String AZURE_AD_WORKLOAD_IDENTITY_MUTATING_ADMISSION_WEBHOOK_ENV_AUTHORITY_HOST = "AZURE_AUTHORITY_HOST";
+        public static final String AZURE_AD_WORKLOAD_IDENTITY_MUTATING_ADMISSION_WEBHOOK_ENV_TENANT_ID = "AZURE_TENANT_ID";
+        public static final String AZURE_AD_WORKLOAD_IDENTITY_MUTATING_ADMISSION_WEBHOOK_ENV_CLIENT_ID = "AZURE_CLIENT_ID";
+
+
+        public static String getTenantId() {
+                String tenantId = System.getenv(WorkloadIdentityUtils.AZURE_AD_WORKLOAD_IDENTITY_MUTATING_ADMISSION_WEBHOOK_ENV_TENANT_ID);
+                if (tenantId == null || tenantId.equals(""))
+                        throw new WorkloadIdentityKafkaClientOAuthBearerAuthenticationException(String.format("Missing environment variable %s", WorkloadIdentityUtils.AZURE_AD_WORKLOAD_IDENTITY_MUTATING_ADMISSION_WEBHOOK_ENV_TENANT_ID));
+                log.debug("Config: Tenant Id " + tenantId);
+                return tenantId;
+        }
+
+        public static String getClientId() {
+                String clientId = System.getenv(WorkloadIdentityUtils.AZURE_AD_WORKLOAD_IDENTITY_MUTATING_ADMISSION_WEBHOOK_ENV_CLIENT_ID);
+                if (clientId == null || clientId.equals(""))
+                        throw new WorkloadIdentityKafkaClientOAuthBearerAuthenticationException(String.format("Missing environment variable %s", WorkloadIdentityUtils.AZURE_AD_WORKLOAD_IDENTITY_MUTATING_ADMISSION_WEBHOOK_ENV_CLIENT_ID));
+                log.debug("Config: Client Id " + clientId);
+                return clientId;
+        }
+
+        public static WorkloadIdentityCredential createWorkloadIdentityCredentialFromEnvironment() {
+                String federatedTokeFilePath = System.getenv(WorkloadIdentityUtils.AZURE_AD_WORKLOAD_IDENTITY_MUTATING_ADMISSION_WEBHOOK_ENV_FEDERATED_TOKEN_FILE);
+                if (federatedTokeFilePath == null || federatedTokeFilePath.equals(""))
+                        throw new WorkloadIdentityKafkaClientOAuthBearerAuthenticationException(String.format("Missing environment variable %s", WorkloadIdentityUtils.AZURE_AD_WORKLOAD_IDENTITY_MUTATING_ADMISSION_WEBHOOK_ENV_FEDERATED_TOKEN_FILE));
+                log.debug("Config: Federated Token File Path " + federatedTokeFilePath);
+
+                String authorityHost = System.getenv(WorkloadIdentityUtils.AZURE_AD_WORKLOAD_IDENTITY_MUTATING_ADMISSION_WEBHOOK_ENV_AUTHORITY_HOST);
+                if (authorityHost == null || authorityHost.equals(""))
+                        throw new WorkloadIdentityKafkaClientOAuthBearerAuthenticationException(String.format("Missing environment variable %s", WorkloadIdentityUtils.AZURE_AD_WORKLOAD_IDENTITY_MUTATING_ADMISSION_WEBHOOK_ENV_AUTHORITY_HOST));
+                log.debug("Config: Authority host " + authorityHost);
+                
+                String tenantId = getTenantId(); 
+                String clientId = getClientId();
+
+
+                WorkloadIdentityCredential workloadIdentityCredential  = new WorkloadIdentityCredentialBuilder()
+                        .tokenFilePath(federatedTokeFilePath)
+                        .authorityHost(authorityHost)
+                        .clientId(clientId)
+                        .tenantId(tenantId)
+                        .build();
+
+                return workloadIdentityCredential;
+        }
+
+
+        public static TokenRequestContext createTokenRequestContextFromEnvironment(String scope) {
+
+                String tenantId = getTenantId(); 
+                String clientId = getClientId();
+
+                //Construct a TokenRequestContext to be used be requsting a token at runtime.
+                String usedScope =  clientId + "/.default";
+                if(scope != null && !scope.isEmpty()) {
+                        usedScope = scope;
+                }
+                log.debug("Config: Scope " + usedScope);
+                TokenRequestContext tokenRequestContext = new TokenRequestContext() // TokenRequestContext: https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/core/azure-core/src/main/java/com/azure/core/credential/TokenRequestContext.java
+                        .addScopes(usedScope)
+                        .setTenantId(tenantId);
+
+                return tokenRequestContext;
+        }
+}