Address comments

Author: emasab

INTRODUCTION.md

@@ -1249,23 +1249,25 @@ Currently these authentication types are supported:
 
 ###### Azure IMDS
 
-to use this method you set:
+To use this method you set:
 
-* `sasl.oauthbearer.metadata.authentication.type=azure_imds` this make that ` sasl.oauthbearer.client.id`
-and `sasl.oauthbearer.client.secret` aren't required
+* `sasl.oauthbearer.metadata.authentication.type=azure_imds` this makes it so 
+   that ` sasl.oauthbearer.client.id` and `sasl.oauthbearer.client.secret` 
+   aren't required.
 * `sasl.oauthbearer.config` is a general purpose configuration property
-  In this case it's accepts comma-separated `key=value` pairs.
-  The `params` key is required and its value is the GET query string to append
+  In this case it accepts comma-separated `key=value` pairs.
+  The `query` key is required in case `sasl.oauthbearer.token.endpoint.url` isn't
+  specified and its value is the GET query string to append
   to the token endpoint URL. Such query string contains params required by
   Azure IMDS such as `client_id` (the UAMI), `resource` for determining the
   target audience and `api-version` for the API version to be used by the endpoint
-* `sasl.oauthbearer.token.endpoint.url` (optional) is set automatically
-  when chosing `sasl.oauthbearer.metadata.authentication.type=azure_imds` but can
-  be customized
+* `sasl.oauthbearer.token.endpoint.url` (optional) is set automatically.
+  when choosing `sasl.oauthbearer.metadata.authentication.type=azure_imds` but can
+  be customized.
 
 
 _Example:_  `sasl.oauthbearer.metadata.authentication.type=azure_imds` and
-`sasl.oauthbearer.config=params=api-version=2018-02-01&resource=api://<App registration client id>&client_id=<UAMI client id>`
+`sasl.oauthbearer.config=params=api-version=2025-04-07&resource=api://<App registration client id>&client_id=<UAMI client id>`
 
 
 <a name="sparse-connections"></a>

src/rdhttp.c

@@ -603,49 +603,34 @@ rd_http_error_t *rd_http_post_expect_json(rd_kafka_t *rk,
  * @brief Append \p params to \p url, taking care of existing query parameters
  *        and hash fragments. \p params must be already URL encoded.
  *
- * @returns A newly allocated string with the appended parameters.
+ * @returns A newly allocated string with the appended parameters or NULL
+ *          on error.
  */
 char *rd_http_get_params_append(const char *url, const char *params) {
-        size_t params_len, of = 0;
-        if (!params || !*params)
-                return rd_strdup(url);
-
-        params_len = strlen(params);
-
-        char *hash_pos          = strstr(url, "#"),
-             *has_question_mark = strchr(url, '?');
-        char *separator         = "";
-        char *ret;
-        size_t insert_pos = strlen(url);
-        if (hash_pos)
-                insert_pos = hash_pos - url;
-
-        if (has_question_mark && (url + insert_pos) < has_question_mark)
-                /* Skip question marks after URL end */
-                has_question_mark = NULL;
-
-        if (has_question_mark &&
-            insert_pos > (size_t)(has_question_mark - url) + 1)
-                separator = "&";
-        else if (!has_question_mark)
-                separator = "?";
-
-        if (separator[0] == '&' && url[0] && url[insert_pos - 1] == '&')
-                /* Don't duplicate last & */
-                separator = "";
-
-        ret = rd_malloc(insert_pos + strlen(separator) + params_len + 1);
-        memcpy(ret, url, insert_pos);
-        of += insert_pos;
-        if (separator[0]) {
-                ret[insert_pos] = separator[0];
-                of++;
-        }
-        memcpy(ret + of, params, params_len);
-        of += params_len;
-        ret[of] = '\0';
-
-        return ret;
+        char *new_url;
+        CURLU *u     = curl_url();
+        CURLUcode rc = curl_url_set(u, CURLUPART_URL, url, 0);
+        if (rc != CURLUE_OK)
+                goto err;
+
+        rc = curl_url_set(u, CURLUPART_QUERY, params, CURLU_APPENDQUERY);
+        if (rc != CURLUE_OK)
+                goto err;
+
+        rc = curl_url_set(u, CURLUPART_FRAGMENT, NULL,
+                          0);  // remove hash fragment
+        if (rc != CURLUE_OK)
+                goto err;
+
+        rc = curl_url_get(u, CURLUPART_URL, &new_url, 0);
+        if (rc != CURLUE_OK)
+                goto err;
+
+        curl_url_cleanup(u);
+        return new_url;
+err:
+        curl_url_cleanup(u);
+        return NULL;
 }
 
 /**
@@ -773,17 +758,13 @@ int unittest_http_get_params_append(void) {
         rd_kafka_t *rk;
         char *res;
         RD_UT_BEGIN();
-        char *tests[] = {"",
-                         "",
+        char *tests[] = {"http://localhost:1234",
                          "",
+                         "http://localhost:1234/",
 
-                         "http://localhost:1234",
-                         "",
-                         "http://localhost:1234",
-
-                         "http://localhost:1234",
+                         "http://localhost:1234/",
                          "a=1",
-                         "http://localhost:1234?a=1",
+                         "http://localhost:1234/?a=1",
 
                          "https://localhost:1234/",
                          "a=1&b=2",
@@ -793,30 +774,31 @@ int unittest_http_get_params_append(void) {
                          "c=hi",
                          "http://mydomain.com/?a=1&c=hi",
 
-                         "https://mydomain.com?",
+                         "https://mydomain.com/?",
                          "c=hi",
-                         "https://mydomain.com?c=hi",
+                         "https://mydomain.com/?c=hi",
 
-                         "http://localhost:1234?a=1&b=2#&c=3",
+                         "http://localhost:1234/path?a=1&b=2#&c=3",
                          "c=hi",
-                         "http://localhost:1234?a=1&b=2&c=hi",
+                         "http://localhost:1234/path?a=1&b=2&c=hi",
 
                          "http://localhost:1234#?c=3",
                          "a=1",
-                         "http://localhost:1234?a=1",
+                         "http://localhost:1234/?a=1",
 
-                         "https://otherdomain.io?a=1&#c=3",
+                         "https://otherdomain.io/path?a=1&#c=3",
                          "b=2",
-                         "https://otherdomain.io?a=1&b=2",
+                         "https://otherdomain.io/path?a=1&b=2",
+                         NULL};
 
-                         "",
-                         "a=2&b=3",
-                         "?a=2&b=3",
 
-                         NULL};
-        char **test   = tests;
+        res = rd_http_get_params_append("", "");
+        RD_UT_ASSERT(!res, "Expected NULL result, got: \"%s\"", res);
+        res = rd_http_get_params_append("", "a=2&b=3");
+        RD_UT_ASSERT(!res, "Expected NULL result, got: \"%s\"", res);
 
-        rk = rd_calloc(1, sizeof(*rk));
+        char **test = tests;
+        rk          = rd_calloc(1, sizeof(*rk));
         while (test[0]) {
                 res = rd_http_get_params_append(test[0], test[1]);
                 RD_UT_ASSERT(!strcmp(res, test[2]),

src/rdkafka_conf.h

@@ -372,7 +372,7 @@ struct rd_kafka_conf_s {
                         struct {
                                 rd_kafka_oauthbearer_metadata_authentication_type_t
                                     type;
-                                const char *params;
+                                const char *query;
                         } metadata_authentication;
 
 

src/rdkafka_sasl_oauthbearer_oidc.c

@@ -1003,8 +1003,8 @@ void rd_kafka_oidc_token_client_credentials_refresh_cb(
  * @brief Implementation of Oauth/OIDC token refresh callback function
  *        for Azure IMDS,
  *        will receive the JSON response after HTTP(S) GET call to token
- * provider, then extract the jwt from the JSON response, and forward it to the
- * broker.
+ *        provider, then extract the jwt from the JSON response, and
+ *        forward it to the broker.
  */
 void rd_kafka_oidc_token_metadata_azure_imds_refresh_cb(
     rd_kafka_t *rk,
@@ -1040,30 +1040,40 @@ void rd_kafka_oidc_token_metadata_azure_imds_refresh_cb(
                 return;
 
         if (rk->rk_conf.sasl.oauthbearer_config &&
-            !rk->rk_conf.sasl.oauthbearer.metadata_authentication.params) {
+            !rk->rk_conf.sasl.oauthbearer.metadata_authentication.query) {
                 size_t i, oauthbearer_config_cnt;
                 char **config_pairs =
                     rd_string_split(rk->rk_conf.sasl.oauthbearer_config, ',',
                                     rd_true, &oauthbearer_config_cnt);
                 for (i = 0; i < oauthbearer_config_cnt; i++) {
                         char *config_pair = config_pairs[i];
-                        char *params_pos  = strstr(config_pair, "params=");
-                        if (params_pos == config_pair) {
+                        char *query_pos   = strstr(config_pair, "query=");
+                        if (query_pos == config_pair) {
                                 rk->rk_conf.sasl.oauthbearer
-                                    .metadata_authentication.params =
-                                    params_pos + strlen("params=");
+                                    .metadata_authentication.query =
+                                    query_pos + strlen("query=");
                                 break;
                         }
                 }
-                if (!rk->rk_conf.sasl.oauthbearer.metadata_authentication
-                         .params)
+                if (!rk->rk_conf.sasl.oauthbearer.metadata_authentication.query)
                         rk->rk_conf.sasl.oauthbearer.metadata_authentication
-                            .params = "";
+                            .query = "";
         }
 
         token_endpoint_url = rd_http_get_params_append(
             rk->rk_conf.sasl.oauthbearer.token_endpoint_url,
-            rk->rk_conf.sasl.oauthbearer.metadata_authentication.params);
+            rk->rk_conf.sasl.oauthbearer.metadata_authentication.query);
+        if (token_endpoint_url == NULL) {
+                rd_snprintf(
+                    set_token_errstr, sizeof(set_token_errstr),
+                    "Failed to append params \"%s\" to token endpoint "
+                    "URL \"%s\"",
+                    rk->rk_conf.sasl.oauthbearer.metadata_authentication.query,
+                    rk->rk_conf.sasl.oauthbearer.token_endpoint_url);
+                rd_kafka_log(rk, LOG_ERR, "OIDC", "%s", set_token_errstr);
+                rd_kafka_oauthbearer_set_token_failure(rk, set_token_errstr);
+                goto done;
+        }
 
         herr = rd_http_get_json(rk, token_endpoint_url, headers_array, 1,
                                 timeout_s, retries, retry_ms, &json);

tests/0126-oauthbearer_oidc.c

@@ -424,41 +424,37 @@ static rd_kafka_conf_t *oidc_configuration_metadata_authentication(
                 test_conf_set(conf,
                               "sasl.oauthbearer.metadata.authentication.type",
                               "azure_imds");
-                test_conf_set(
-                    conf, "sasl.oauthbearer.config",
-                    "params=__metadata_authentication_type=azure_imds&"
-                    "api-version=2018-02-01&resource="
-                    "api://external_resource_id&client_id=client_id");
+                test_conf_set(conf, "sasl.oauthbearer.config",
+                              "query=__metadata_authentication_type=azure_imds&"
+                              "api-version=2025-04-07&resource="
+                              "api://external_resource_id&client_id=client_id");
                 break;
         case OIDC_CONFIGURATION_METADATA_AUTHENTICATION_VARIATION_AZURE_IMDS_MISSING_CLIENT_ID:
                 test_conf_set(conf,
                               "sasl.oauthbearer.metadata.authentication.type",
                               "azure_imds");
-                test_conf_set(
-                    conf, "sasl.oauthbearer.config",
-                    "params=__metadata_authentication_type=azure_imds&"
-                    "api-version=2018-02-01&resource="
-                    "api://external_resource_id");
+                test_conf_set(conf, "sasl.oauthbearer.config",
+                              "query=__metadata_authentication_type=azure_imds&"
+                              "api-version=2025-04-07&resource="
+                              "api://external_resource_id");
                 break;
         case OIDC_CONFIGURATION_METADATA_AUTHENTICATION_VARIATION_AZURE_IMDS_MISSING_RESOURCE:
                 test_conf_set(conf,
                               "sasl.oauthbearer.metadata.authentication.type",
                               "azure_imds");
-                test_conf_set(
-                    conf, "sasl.oauthbearer.config",
-                    "params=__metadata_authentication_type=azure_imds&"
-                    "api-version=2018-02-01&"
-                    "client_id=client_id");
+                test_conf_set(conf, "sasl.oauthbearer.config",
+                              "query=__metadata_authentication_type=azure_imds&"
+                              "api-version=2025-04-07&"
+                              "client_id=client_id");
                 break;
         case OIDC_CONFIGURATION_METADATA_AUTHENTICATION_VARIATION_AZURE_IMDS_MISSING_API_VERSION:
                 test_conf_set(conf,
                               "sasl.oauthbearer.metadata.authentication.type",
                               "azure_imds");
-                test_conf_set(
-                    conf, "sasl.oauthbearer.config",
-                    "params=__metadata_authentication_type=azure_imds&"
-                    "resource="
-                    "api://external_resource_id&client_id=client_id");
+                test_conf_set(conf, "sasl.oauthbearer.config",
+                              "query=__metadata_authentication_type=azure_imds&"
+                              "resource="
+                              "api://external_resource_id&client_id=client_id");
                 break;
         default:
                 TEST_ASSERT(rd_false,