robobario
diff --git a/‎CHANGELOG.md‎
Lines changed: 2 additions & 2 deletions b/‎CHANGELOG.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/available-filters.adoc‎
Lines changed: 2 additions & 3 deletions b/‎docs/available-filters.adoc‎
Lines changed: 2 additions & 3 deletions
diff --git a/‎docs/available-filters/oauthbearer/oauthbearer.adoc‎
Lines changed: 64 additions & 0 deletions b/‎docs/available-filters/oauthbearer/oauthbearer.adoc‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎kroxylicious-app/pom.xml‎
Lines changed: 6 additions & 1 deletion b/‎kroxylicious-app/pom.xml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎kroxylicious-bom/pom.xml‎
Lines changed: 7 additions & 1 deletion b/‎kroxylicious-bom/pom.xml‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎kroxylicious-filters/kroxylicious-oauthbearer-validation/pom.xml‎
Lines changed: 126 additions & 0 deletions b/‎kroxylicious-filters/kroxylicious-oauthbearer-validation/pom.xml‎
Lines changed: 126 additions & 0 deletions
@@ -7,6 +7,7 @@ Format `<github issue/pr number>: <short description>`.
 
 ## SNAPSHOT
 
+* [#1195](https://github.com/kroxylicious/kroxylicious/pull/1195): SASL OAUTHBEARER validation filter 
 * [#1076](https://github.com/kroxylicious/kroxylicious/issues/1076): AWS KMS implementation for Record Encryption
 * [#1201](https://github.com/kroxylicious/kroxylicious/pull/1201): Bump com.fasterxml.jackson:jackson-bom from 2.17.0 to 2.17.1
 * [#1158](https://github.com/kroxylicious/kroxylicious/pull/1158): Bump io.netty:netty-bom from 4.1.108.Final to 4.1.109.Final
@@ -210,5 +211,4 @@ The names used to identify micrometer configuration hooks in configuration have
 - `StandardBindersContributor` -> `StandardBindersHook`
 - 
 #### CVE Fixes
-CVE-2023-44487 [#675](https://github.com/kroxylicious/kroxylicious/pull/675)
-
+CVE-2023-44487 [#675](https://github.com/kroxylicious/kroxylicious/pull/675)
@@ -7,10 +7,9 @@ The following filters are provided built-in as part of the distribution.
 include::available-filters/record-encryption/record-encryption.adoc[leveloffset=2]
 include::available-filters/multi-tenancy/multi-tenancy.adoc[leveloffset=2]
 include::available-filters//schema-validation/schema-validation.adoc[leveloffset=2]
+include::available-filters/oauthbearer/oauthbearer.adoc[leveloffset=2]
 
 == Community filters
 
 Community contributed filters are showcased in the
-https://github.com/kroxylicious/kroxylicious-community-gallery[Community Gallery].
-
-
+https://github.com/kroxylicious/kroxylicious-community-gallery[Community Gallery].
@@ -0,0 +1,64 @@
+= OAUTHBEARER validation
+
+== What is it?
+
+OauthBearerValidation filter enables a validation on the JWT token received from client before forwarding it to cluster.
+
+If the token is not validated, then the request is short-circuited.
+It reduces resource consumption on the cluster when a client sends too many invalid SASL requests.
+
+[mermaid]
+....
+sequenceDiagram
+    Client->>Kroxylicious: Handshake request
+    Kroxylicious->>Cluster: Forward Handshake request
+    Cluster-->>Kroxylicious: Handshake response
+    Kroxylicious-->>Client: Handshake response
+    Client->>Kroxylicious: Authenticate request
+    Kroxylicious->>Kroxylicious: Validate token
+    break Token validation fails
+        Kroxylicious->>Client: Invalid token
+    end
+    Kroxylicious->>Cluster: Authenticate request
+    Cluster-->>Kroxylicious: Authenticate response
+    Kroxylicious-->>Client: Authenticate response
+....
+
+== How to use the filter
+
+There are two steps to using the filter.
+
+1. <<Configuring virtual clusters>>
+2. Configuring the filter within Kroxylicious.
+
+=== Configuring the filter within Kroxylicious.
+
+[source, yaml]
+----
+filters:
+  - type: OauthBearerValidation
+    config:
+      jwksEndpointUrl: https://oauth/JWKS   #<1>
+      jwksEndpointRefreshMs: 3600000        #<2>
+      jwksEndpointRetryBackoffMs: 100       #<3>
+      jwksEndpointRetryBackoffMaxMs: 10000  #<4>
+      scopeClaimName: scope                 #<5>
+      subClaimName: sub                     #<6>
+      authenticateBackOffMaxMs: 60000       #<7>
+      authenticateCacheMaxSize: 1000        #<8>
+      expectedAudience: https://first.audience, https//second.audience #<9>
+      expectedIssuer: https://your-domain.auth/ #<10>
+----
+
+<1> The OAuth/OIDC provider URL from which the provider's JWKS (JSON Web Key Set) can be retrieved.
+<2> The (optional) value in milliseconds for the broker to wait between refreshing its JWKS (JSON Web Key Set) cache that contains the keys to verify the signature of the JWT.
+<3> The (optional) value in milliseconds for the initial wait between JWKS (JSON Web Key Set) retrieval attempts from the external authentication provider.
+<4> The (optional) value in milliseconds for the maximum wait between attempts to retrieve the JWKS (JSON Web Key Set) from the external authentication provider.
+<5> This (optional) setting can provide a different name to use for the scope included in the JWT payload's claims.
+<6> This (optional) setting can provide a different name to use for the subject included in the JWT payload's claims.
+<7> The (optional) maximum value in milliseconds to limit the client sending authenticate request. Setting 0 will never limit the client. Otherwise, an exponential delay is added to each authenticate request until the authenticateBackOffMaxMs has been reached.
+<8> The (optional) maximum number of failed tokens kept in cache.
+<9> The (optional) comma-delimited setting for the broker to use to verify that the JWT was issued for one of the expected audiences.
+<10> The (optional) setting for the broker to use to verify that the JWT was created by the expected issuer.
+
+Note: OauthBearer config follows https://kafka.apache.org/documentation/#security_ssl[kafka's properties]
@@ -245,7 +245,12 @@
                     <artifactId>kroxylicious-kms-provider-aws-kms</artifactId>
                     <scope>runtime</scope>
                 </dependency>
+                <dependency>
+                    <groupId>io.kroxylicious</groupId>
+                    <artifactId>kroxylicious-oauthbearer-validation</artifactId>
+                    <scope>runtime</scope>
+                </dependency>
             </dependencies>
         </profile>
     </profiles>
-</project>
+</project>
@@ -171,6 +171,12 @@
                 <version>${project.version}</version>
             </dependency>
 
+            <dependency>
+                <groupId>io.kroxylicious</groupId>
+                <artifactId>kroxylicious-oauthbearer-validation</artifactId>
+                <version>${project.version}</version>
+            </dependency>
+
             <!-- testing dependencies -->
             <!-- note scope is *not* set at this level -->
             <dependency>
@@ -312,4 +318,4 @@
             </build>
         </profile>
     </profiles>
-</project>
+</project>
@@ -0,0 +1,126 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+    Copyright Kroxylicious Authors.
+
+    Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>io.kroxylicious</groupId>
+        <artifactId>kroxylicious-filter-parent</artifactId>
+        <version>0.6.0-SNAPSHOT</version>
+        <relativePath>../pom.xml</relativePath>
+    </parent>
+
+    <artifactId>kroxylicious-oauthbearer-validation</artifactId>
+    <packaging>jar</packaging>
+
+    <name>Oauthbearer filter</name>
+    <description>Pre-validate oauth token before sending it to upstream kafka</description>
+
+    <dependencies>
+        <!-- project dependencies - runtime and compile -->
+        <dependency>
+            <groupId>io.kroxylicious</groupId>
+            <artifactId>kroxylicious-api</artifactId>
+        </dependency>
+
+        <!-- third party dependencies - runtime and compile  -->
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-annotations</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.kafka</groupId>
+            <artifactId>kafka-clients</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.bitbucket.b_c</groupId>
+            <artifactId>jose4j</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+        </dependency>
+
+        <!-- project dependencies - test -->
+        <dependency>
+            <groupId>org.assertj</groupId>
+            <artifactId>assertj-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-junit-jupiter</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.dataformat</groupId>
+            <artifactId>jackson-dataformat-yaml</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.kroxylicious</groupId>
+            <artifactId>kroxylicious-annotations</artifactId>
+        </dependency>
+      <dependency>
+        <groupId>com.github.spotbugs</groupId>
+        <artifactId>spotbugs-annotations</artifactId>
+      </dependency>
+      <dependency>
+        <groupId>com.github.ben-manes.caffeine</groupId>
+        <artifactId>caffeine</artifactId>
+      </dependency>
+        <dependency>
+            <groupId>io.kroxylicious</groupId>
+            <artifactId>kroxylicious-filter-test-support</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>analyze</id>
+                        <configuration>
+                            <ignoredUnusedDeclaredDependencies>
+                                <ignoredUnusedDeclaredDependency>org.bitbucket.b_c:jose4j</ignoredUnusedDeclaredDependency>
+                                <ignoredUnusedDeclaredDependency>io.kroxylicious:kroxylicious-annotations</ignoredUnusedDeclaredDependency>
+                            </ignoredUnusedDeclaredDependencies>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+
+</project>