SamBarker
diff --git a/‎kroxylicious-filter-test-support/src/main/java/io/kroxylicious/test/assertj/HeaderAssert.java‎
Lines changed: 34 additions & 9 deletions b/‎kroxylicious-filter-test-support/src/main/java/io/kroxylicious/test/assertj/HeaderAssert.java‎
Lines changed: 34 additions & 9 deletions
diff --git a/‎kroxylicious-filter-test-support/src/test/java/io/kroxylicious/test/assertj/HeaderAssertTest.java‎
Lines changed: 25 additions & 0 deletions b/‎kroxylicious-filter-test-support/src/test/java/io/kroxylicious/test/assertj/HeaderAssertTest.java‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎kroxylicious-filters/kroxylicious-oauthbearer-validation/src/main/java/io/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidationFilter.java‎
Lines changed: 25 additions & 2 deletions b/‎kroxylicious-filters/kroxylicious-oauthbearer-validation/src/main/java/io/kroxylicious/proxy/filter/oauthbearer/OauthBearerValidationFilter.java‎
Lines changed: 25 additions & 2 deletions
@@ -14,8 +14,15 @@
 import org.assertj.core.api.AbstractStringAssert;
 import org.assertj.core.api.Assertions;
 import org.assertj.core.api.InstanceOfAssertFactories;
+import org.assertj.core.api.ThrowingConsumer;
 
+@SuppressWarnings("UnusedReturnValue")
 public class HeaderAssert extends AbstractAssert<HeaderAssert, Header> {
+
+    private static final String VALUE_SUFFIX = "value";
+    private static final String KEY_SUFFIX = "key";
+    public static final String DESCRIBED_AS_PATTERN = "%s %s";
+
     protected HeaderAssert(Header header) {
         super(header, HeaderAssert.class);
         describedAs(header == null ? "null header" : "header");
@@ -25,16 +32,18 @@ public static HeaderAssert assertThat(Header actual) {
         return new HeaderAssert(actual);
     }
 
+    @SuppressWarnings("java:S1452")
     private AbstractStringAssert<?> key() {
         var existingDescription = descriptionText();
         return Assertions.assertThat(actual.key())
-                .describedAs(existingDescription + " key");
+                .describedAs(DESCRIBED_AS_PATTERN, existingDescription, KEY_SUFFIX);
     }
 
+    @SuppressWarnings("java:S1452")
     public AbstractByteArrayAssert<?> value() {
         var existingDescription = descriptionText();
         return Assertions.assertThat(actual.value())
-                .describedAs(existingDescription + " value");
+                .describedAs(DESCRIBED_AS_PATTERN, existingDescription, VALUE_SUFFIX);
     }
 
     public HeaderAssert hasKeyEqualTo(String expected) {
@@ -47,18 +56,13 @@ public HeaderAssert hasValueEqualTo(String expected) {
             isNotNull().value().isNull();
         }
         else {
-            String existingDescription = descriptionText();
-            isNotNull().value()
-                    .asInstanceOf(InstanceOfAssertFactories.BYTE_ARRAY)
-                    .asString(StandardCharsets.UTF_8)
-                    .as(existingDescription + " value")
-                    .isEqualTo(expected);
+            hasStringValueSatisfying(val -> Assertions.assertThat(val).isEqualTo(expected));
         }
         return this;
     }
 
     public HeaderAssert hasValueEqualTo(byte[] expected) {
-        isNotNull().value().isEqualTo(expected);
+        hasByteValueSatisfying(val -> Assertions.assertThat(val).isEqualTo(expected));
         return this;
     }
 
@@ -67,4 +71,25 @@ public HeaderAssert hasNullValue() {
         return this;
     }
 
+    public HeaderAssert hasStringValueSatisfying(ThrowingConsumer<String> assertion) {
+        String existingDescription = descriptionText();
+        isNotNull().value()
+                .asInstanceOf(InstanceOfAssertFactories.BYTE_ARRAY)
+                .asString(StandardCharsets.UTF_8)
+                .as(DESCRIBED_AS_PATTERN, existingDescription, VALUE_SUFFIX)
+                .satisfies(assertion::accept);
+
+        return this;
+    }
+
+    public HeaderAssert hasByteValueSatisfying(ThrowingConsumer<byte[]> assertion) {
+        String existingDescription = descriptionText();
+        isNotNull().value()
+                .asInstanceOf(InstanceOfAssertFactories.BYTE_ARRAY)
+                .as(DESCRIBED_AS_PATTERN, existingDescription, VALUE_SUFFIX)
+                .satisfies(assertion::accept);
+
+        return this;
+    }
+
 }
@@ -54,6 +54,31 @@ void testHeaderHasValueEqualTo() {
         assertThrowsIfHeaderNull(nullAssert -> nullAssert.hasValueEqualTo("any"));
     }
 
+    @Test
+    void testHeaderHasByteValue() {
+        byte[] expectedBytes = "abc".getBytes(StandardCharsets.UTF_8);
+        RecordHeader nonNullValue = new RecordHeader("foo", expectedBytes);
+        HeaderAssert nonNullValueAssert = KafkaAssertions.assertThat(nonNullValue);
+
+        nonNullValueAssert.hasValueEqualTo(expectedBytes);
+        throwsAssertionErrorContaining(() -> nonNullValueAssert.hasByteValueSatisfying(val -> org.assertj.core.api.Assertions.assertThat(val).isEmpty()),
+                "[header value]");
+        nonNullValueAssert.hasByteValueSatisfying(val -> org.assertj.core.api.Assertions.assertThat(val).isEqualTo(expectedBytes));
+    }
+
+    @Test
+    void testHeaderHasStringValue() {
+        String expectedStr = "abc";
+        byte[] expectedBytes = expectedStr.getBytes(StandardCharsets.UTF_8);
+        RecordHeader nonNullValue = new RecordHeader("foo", expectedStr.getBytes(StandardCharsets.UTF_8));
+        HeaderAssert nonNullValueAssert = KafkaAssertions.assertThat(nonNullValue);
+
+        nonNullValueAssert.hasValueEqualTo(expectedBytes);
+        throwsAssertionErrorContaining(() -> nonNullValueAssert.hasStringValueSatisfying(val -> org.assertj.core.api.Assertions.assertThat(val).isEmpty()),
+                "[header value]");
+        nonNullValueAssert.hasStringValueSatisfying(val -> org.assertj.core.api.Assertions.assertThat(val).isEqualTo(expectedStr));
+    }
+
     void assertThrowsIfHeaderNull(ThrowingConsumer<HeaderAssert> action) {
         HeaderAssert headerAssert = KafkaAssertions.assertThat((RecordHeader) null);
         throwsAssertionErrorContaining(() -> action.accept(headerAssert), "[null header]");
 
@@ -11,7 +11,9 @@
 import java.security.NoSuchAlgorithmException;
 import java.time.Duration;
 import java.util.HexFormat;
+import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.CompletionException;
 import java.util.concurrent.CompletionStage;
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.TimeUnit;
@@ -63,13 +65,14 @@ public class OauthBearerValidationFilter
         SaslAuthenticateResponseFilter {
 
     private static final Logger LOGGER = LoggerFactory.getLogger(OauthBearerValidationFilter.class);
-
+    private static final SaslAuthenticationException INVALID_SASL_STATE_EXCEPTION = new SaslAuthenticationException("invalid sasl state");
     private final ScheduledExecutorService executorService;
     private final BackoffStrategy strategy;
     private final LoadingCache<String, AtomicInteger> rateLimiter;
     private final OAuthBearerValidatorCallbackHandler oauthHandler;
     private @Nullable SaslServer saslServer;
     private boolean validateAuthentication = true;
+    private @Nullable String authorizationId;
 
     public OauthBearerValidationFilter(ScheduledExecutorService executorService, SharedOauthBearerValidationContext sharedContext) {
         this.executorService = executorService;
@@ -102,6 +105,7 @@ public CompletionStage<RequestFilterResult> onSaslHandshakeRequest(short apiVers
         }
         catch (SaslException e) {
             LOGGER.debug("SASL error : {}", e.getMessage(), e);
+            notifyThrowable(context, e);
             return context.requestFilterResultBuilder()
                     .shortCircuitResponse(new SaslHandshakeResponseData().setErrorCode(UNKNOWN_SERVER_ERROR.code()))
                     .withCloseConnection()
@@ -125,23 +129,31 @@ public CompletionStage<RequestFilterResult> onSaslAuthenticateRequest(short apiV
                         .setErrorMessage("Unexpected SASL request")
                         .setAuthBytes(request.authBytes());
                 LOGGER.debug("SASL invalid state");
+                notifyThrowable(context, INVALID_SASL_STATE_EXCEPTION);
                 return context.requestFilterResultBuilder().shortCircuitResponse(failedResponse).withCloseConnection().completed();
             }
             this.saslServer = null;
 
             return authenticate(server, request.authBytes())
                     .thenCompose(bytes -> context.forwardRequest(header, request))
                     .exceptionallyCompose(e -> {
-                        if (e.getCause() instanceof SaslAuthenticationException) {
+                        if (e.getCause() instanceof SaslAuthenticationException cause) {
                             SaslAuthenticateResponseData failedResponse = new SaslAuthenticateResponseData()
                                     .setErrorCode(SASL_AUTHENTICATION_FAILED.code())
                                     .setErrorMessage(e.getMessage())
                                     .setAuthBytes(request.authBytes());
                             LOGGER.debug("SASL Authentication failed : {}", e.getMessage(), e);
+                            notifyThrowable(context, cause);
                             return context.requestFilterResultBuilder().shortCircuitResponse(failedResponse).withCloseConnection().completed();
                         }
                         else {
                             LOGGER.debug("SASL error : {}", e.getMessage(), e);
+                            if (e instanceof CompletionException) {
+                                notifyThrowable(context, e.getCause());
+                            }
+                            else {
+                                notifyThrowable(context, e);
+                            }
                             return context.requestFilterResultBuilder()
                                     .shortCircuitResponse(
                                             new SaslAuthenticateResponseData()
@@ -154,11 +166,21 @@ public CompletionStage<RequestFilterResult> onSaslAuthenticateRequest(short apiV
         }
     }
 
+    private void notifyThrowable(FilterContext context, Throwable e) {
+        if (e instanceof Exception ex) {
+            context.clientSaslAuthenticationFailure(OAUTHBEARER_MECHANISM, authorizationId, ex);
+        }
+        else {
+            context.clientSaslAuthenticationFailure(OAUTHBEARER_MECHANISM, authorizationId, new RuntimeException(e));
+        }
+    }
+
     @Override
     public CompletionStage<ResponseFilterResult> onSaslAuthenticateResponse(short apiVersion, ResponseHeaderData header,
                                                                             SaslAuthenticateResponseData response, FilterContext context) {
         if (response.errorCode() == NONE.code()) {
             this.validateAuthentication = false;
+            context.clientSaslAuthenticationSuccess(OAUTHBEARER_MECHANISM, Objects.requireNonNull(authorizationId));
         }
         return context.forwardResponse(header, response);
     }
@@ -197,6 +219,7 @@ private byte[] doAuthenticate(SaslServer server, byte[] authBytes) throws SaslEx
                 // at this step bytes would be a jsonResponseError from SASL server
                 throw new SaslAuthenticationException("SASL failed : " + new String(bytes, StandardCharsets.UTF_8));
             }
+            this.authorizationId = server.getAuthorizationID();
             return bytes;
         }
         finally {