Bump io.strimzi:kafka-oauth-client from 0.12.0 to 0.13.0

[dependabot]

Bumps io.strimzi:kafka-oauth-client from 0.12.0 to 0.13.0.

Release notes

Sourced from io.strimzi:kafka-oauth-client's releases.

0.13.0

Main Changes since 0.12.x

KeycloakAuthorizer has been added that supports both Zookeeper and KRaft mode

While KeycloakRBACAuthorizer can still be used in Zookeeper mode, for the future you should migrate your configuration to use KeycloakAuthorizer.

As part of supporting KRaft mode the grants mapping logic has changed slightly. Rather than using the access token as a unit of grant, the user id is now used. This results in better sharing of the grants between sessions of the same user, and should also reduce the number of grants held in cache, and the number of refresh requests to the Keycloak server.

Additional configuration options have been added:

• strimzi.authorization.grants.max.idle.time.seconds specifies the time after which an idle grant in the cache can be evicted
• strimzi.authorization.grants.gc.period.seconds specifies a time between consecutive runs of the grants cache garbage collection job

Also, the option strimzi.authorization.reuse.grants now defaults to true, and no longer to false.

Global option strimzi.oauth.metric.reporters has been added to supersede metric.reporters in OAuth metrics

To avoid double instantiation of metric reporters that only expect to work as singletons, metric.reporters option is no longer used by OAuth metrics. If the new strimzi.oauth.metric.reporters is not set, OAuth metrics will still instantiate a default org.apache.kafka.common.metrics.JmxReporter if any OAuth metrics are enabled. In order to install some other metric reporter in addition to JmxReporter both have to be listed. Also, the suggested way to configure it on the Kafka broker is to set it as env variable, rather than a property in server.properties file.

Fixed JsonPath handling of null in a query when attribute was missing

This change introduces a backwards incompatible change in how queries using equals or not equals comparison to null are handled when the targeted attribute is not present.

Examples of affected queries as used in oauth.custom.claim.check:

• "@.missing == null"
• "@.missing != null"

Principal extraction from nested username claim was added

It is now possible to use JsonPath query to target nested attributes when extracting a principal. In order to use JsonPath start your claim specification with opening square bracket [.

For example:

oauth.username.claim="['user.info'].['user.id']"
oauth.fallback.username.claim="['user.info'].['client.id']"

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.13.0 milestone.

0.13.0-rc1

Main Changes since 0.12.x

KeycloakAuthorizer has been added that supports both Zookeeper and KRaft mode

While KeycloakRBACAuthorizer can still be used in Zookeeper mode, for the future you should migrate your configuration to use KeycloakAuthorizer.

... (truncated)

Changelog

Sourced from io.strimzi:kafka-oauth-client's changelog.

0.13.0

Fixed json-path handling of null

This change introduces a backwards incompatible change in how queries using equals or not equals comparison to null are handled.

Previously the query "@.missing == null" where JWT token claim called missing was not present in the token would evaluate to false. Similarly the query "@.missing != null" would evaluate to true.

Such behavior is clearly non-intuitive, and was recognised as a bug and fixed in the json-path library.

By bumping the version of json-path to 2.8.0 the behaviour is now fixed. The query "@.missing == null" evaluates to true, and "@.missing != null" evaluates to false.

The documentation in README.md has always contained a note that one should not use null comparison in the queries. Those who followed that rule will not be affected.

Commits

• ab7c676 Prepare for 0.13.0 release
• 1aad01c Bump dependency versions and Strimzi Kafka version in example yamls (#198)
• 47e76b1 Principal extraction from nested username claim was broken (#194)
• a0c4c34 Remove the use of metric.reporters in OAuth metrics, use `strimzi.metric.re...
• fc97c59 Update json-path to version 2.8.0 - introduces a breaking change in how `oaut...
• 8be8321 Logging fixes all around the code (#195)
• 2cf1d5a Fix KeycloakRBACAuthorizer to work with StandardAuthorizer in KRAFT mode (#...
• 3f20677 Updated maintainers (#191)
• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[dependabot]

The following labels could not be found: area/dependencies.