Logstash Kafka Input Plugin Fails to Load OAUTHBEARER strimzi CallbackHandler Class

niveditakathal · June 25, 2025, 11:30am

Hi Experts,

I'm encountering a Kafka OAuth setup issue in Logstash where it fails to load the JaasClientOauthLoginCallbackHandler class from the Strimzi libraries.

Error Message:
ConfigException: Invalid value io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler for configuration sasl.login.callback.handler.class: Class ... could not be found.

Environment & Setup:

Jar files in /usr/share/logstash/jars :

json-smart-2.5.0.jar
kafka-oauth-client-0.8.1.jar
kafka-oauth-common-0.8.1.jar
kafka-oauth-keycloak-authorizer-0.8.1.jar
kafka-oauth-server-0.8.1.jar
lang-tag-1.4.4.jar
nimbus-jose-jwt-9.37.3.jar
oauth2-oidc-sdk-10.8.jar
slf4j-api-1.7.36.jar

Kafka JAAS config ( /usr/share/logstash/config/kafka-jaas.conf ):

  org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
  oauth.client.id="kafka"
  oauth.client.secret="***"
  oauth.token.endpoint.uri="https://<auth-endpoint>"
  oauth.username="kafkatst"
  oauth.password="***";
};

Logstash input config:

  kafka {
    bootstrap_servers => "il-kafka-tst.local:9093"
    topics => ["test"]
    group_id => "kafkatst"
    codec => "json"
    security_protocol => "SASL_PLAINTEXT"
    sasl_mechanism => "OAUTHBEARER"
    sasl_login_callback_handler_class => "io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler"
    jaas_path => "/usr/share/logstash/config/kafka-jaas.conf"
  }
}

Could someone help me fix this issue?

Thanks in advance !
Nivedita

niveditakathal · July 1, 2025, 12:16pm

The issue was resolved by updating the deployment.yaml file with the appropriate container configuration for dev-logstash, which includes a custom startup command and volume mount to ensure necessary JARs are available at runtime.

containers:
  - name: dev-logstash
    image: logstash:8.18.0
    imagePullPolicy: Always
    command:
      - "sh"
      - "-c"
      - > cp /usr/share/logstash/jars/* /usr/share/logstash/logstash-core/lib/jars/ &&
        exec /usr/local/bin/docker-entrypoint
    volumeMounts:
      - name: strimzi-kafka-oauth-client-jars-volume
        mountPath: /usr/share/logstash/jars

Note : I used initContainers to download the jars first

Topic		Replies	Views
Logstash client authentication issue Logstash	1	192	March 28, 2024
Provide custom Kafka message decoder to Logstash Logstash	9	4953	July 6, 2017
Kafka input - Could not find a 'KafkaClient' entry in the JAAS configuration Logstash	2	8454	April 1, 2019
Logstash Kafka Output with Azure Managed Identity Failing with ClassNotFoundException Logstash docker	0	27	March 23, 2025
Logstash Kafka Input Plugin Throws Errors missing class name (`org.apache.kafka.clients.consumer.ConsumerConfig') Logstash	4	841	November 21, 2017

Logstash Kafka Input Plugin Fails to Load OAUTHBEARER strimzi CallbackHandler Class

Related topics