SASL OAuth TokenProvider does not refresh

[2phost]

Hi,
In my environment, I have a Kafka cluster configured with Keycloak using OAUTH (SASL_PLAINTEXT). As such, I developed a TokenProvider that authenticates the user and refreshes the token when it is about to expired.

The problem is: you only get the token in the very beginning, meaning that after some time my tokenprovider have a new token (updated using a thread), but you never ask for it. So I get the following error:

kafka.errors.TopicAuthorizationFailedError: [Error 29] TopicAuthorizationFailedError:

I can see two possible solutions:

1. Extract the expires_in from the jwt token and have a parameter to allows update the token X seconds before it expires.
2. A simple parameter that allow us to set intervals to get new token, for example every 5 minutes.

In my opinion, I would go with the second and leave the first one to be implemented by the TokenProvider (update the token returned by TokenProvider before it expires, which I am already doing it). Moreover the second is easier to implement.

Best regards,

[dpkp]

There is no mechanism to update SASL authentication after initial connection. So I think what would have to happen here is the connection would have to be closed and reconnected so that a new token could be sent. Do you know if/how the java client manages this?