KIP-368 — KIP 368: Allow SASL Connections to Periodically Re-Authenticate
Accepted Kafka 2.2 Security
Adds support for periodic SASL re-authentication on existing connections by introducing a `connections.max.reauth.ms` broker configuration, after which the client must re-authenticate before the next request or the connection is closed. Long-lived Kafka connections bypass token expiry for SASL/OAUTHBEARER and prevent immediate revocation of access when SASL/SCRAM credentials are rotated or ACLs are changed.
Protocol Impact
SaslHandshake · SaslAuthenticate
Details
| Author | Ron Dagostino |
| Status | Accepted |
| Kafka Version | 2.2 |
| JIRA | KAFKA-7352 |
| Wiki | View on Apache Wiki |
| Created | 2018-08-20 |
| Last Modified | 2020-02-03 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.