KIP-1025 — Optionally URL-encode clientID and clientSecret in authorization header
Accepted Kafka 3.9 Security
Adds a sasl.oauthbearer.header.urlencode client configuration to opt into URL-encoding of clientID and clientSecret when constructing the Basic Authorization header for OIDC token endpoint requests. RFC 6749 §2.3.1 mandates URL-encoding these credentials in the Authorization header, but the KIP-768 implementation omitted this encoding, risking authentication failures with strict OIDC providers.
Details
| Author | Nelson B. |
| Status | Accepted |
| Kafka Version | 3.9 |
| JIRA | KAFKA-16345 |
| Wiki | View on Apache Wiki |
| Created | 2024-03-06 |
| Last Modified | 2024-07-01 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.