From ca9434f55e16413b9844aaeaa01efa1210f911da Mon Sep 17 00:00:00 2001
From: eescobar <eescobar@twilio.com>
Date: Wed, 19 Nov 2025 15:13:45 -0500
Subject: [PATCH 1/2] [AUTHR-376] Implement Oauthbearer mechanism

---
 sasl/oauthbearer/oauthbearer.go | 34 +++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 sasl/oauthbearer/oauthbearer.go

diff --git a/sasl/oauthbearer/oauthbearer.go b/sasl/oauthbearer/oauthbearer.go
new file mode 100644
index 000000000..a7e61aa21
--- /dev/null
+++ b/sasl/oauthbearer/oauthbearer.go
@@ -0,0 +1,34 @@
+package oauthbearer
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/segmentio/kafka-go/sasl"
+)
+
+// Mechanism implements the OAUTHBEARER mechanism and passes the token.
+type Mechanism struct {
+	Token string
+}
+
+func (Mechanism) Name() string {
+	return "OAUTHBEARER"
+}
+
+func (m Mechanism) Start(ctx context.Context) (sasl.StateMachine, []byte, error) {
+	if m.Token == "" {
+		return nil, nil, errors.New("token must have a value")
+	}
+	header := fmt.Sprintf("n,,\x01auth=Bearer %s\x01", m.Token)
+	byteArrayHeader := []byte(header)
+	return m, byteArrayHeader, nil
+}
+
+func (m Mechanism) Next(ctx context.Context, challenge []byte) (bool, []byte, error) {
+	if len(challenge) == 0 {
+		return true, nil, nil
+	}
+	return false, nil, errors.New("invalid response")
+}

From ed4a364451f716fd182ecf72d2d7a297f4ee187a Mon Sep 17 00:00:00 2001
From: eescobar <eescobar@twilio.com>
Date: Wed, 19 Nov 2025 17:54:11 -0500
Subject: [PATCH 2/2] [AUTHR-376] Add missing character

---
 sasl/oauthbearer/oauthbearer.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sasl/oauthbearer/oauthbearer.go b/sasl/oauthbearer/oauthbearer.go
index a7e61aa21..332338330 100644
--- a/sasl/oauthbearer/oauthbearer.go
+++ b/sasl/oauthbearer/oauthbearer.go
@@ -21,7 +21,7 @@ func (m Mechanism) Start(ctx context.Context) (sasl.StateMachine, []byte, error)
 	if m.Token == "" {
 		return nil, nil, errors.New("token must have a value")
 	}
-	header := fmt.Sprintf("n,,\x01auth=Bearer %s\x01", m.Token)
+	header := fmt.Sprintf("n,,\x01auth=Bearer %s\x01\x01", m.Token)
 	byteArrayHeader := []byte(header)
 	return m, byteArrayHeader, nil
 }