OAuth Client Configuration Overview

This section provides configuration instructions for different client types connecting to Confluent Cloud using OAuth 2.0 authentication.

Prerequisites

Before configuring OAuth authentication, ensure you have:

  • Confluent Cloud account: Active Confluent Cloud account with OAuth enabled
  • OAuth identity provider: Configured OAuth/OIDC identity provider
  • Client credentials: OAuth client ID and secret from your identity provider
  • Cluster information: Logical cluster ID and identity pool ID from Confluent Cloud

Supported client types

Confluent Cloud supports OAuth authentication for the following client types:

Java clients

  • Apache Kafka® client 4.0.0 or later
  • Confluent Platform 7.2.1 or later; 7.1.3 or later
  • Schema Registry Java clients

Python clients

  • confluent-kafka-python 2.0.0 or later
  • Python 3.7 or later

.NET clients

  • Confluent.Kafka 2.0.0 or later
  • .NET Framework 4.6.1 or later or .NET Core 2.1 or later

Go clients

  • confluent-kafka-go 2.0.0 or later
  • Go 1.16 or later
  • librdkafka 1.9.2 or later

JavaScript clients

  • Schema Registry JavaScript clients
  • Node.js 14 or later

Common configuration parameters

All OAuth client configurations require these common parameters:

Parameter Description Default Required
sasl.mechanism SASL mechanism for OAuth authentication OAUTHBEARER Yes
sasl.oauth.token.endpoint.uri OAuth token endpoint URL None Yes
sasl.oauth.client.id OAuth client ID None Yes
sasl.oauth.client.secret OAuth client secret None Yes
sasl.oauth.scope OAuth scopes for token request None No
sasl.oauth.logical.cluster Logical cluster ID for Confluent Cloud None Yes
sasl.oauth.identity.pool.id Identity pool ID for Confluent Cloud None No

Authentication flow

The OAuth authentication flow follows these steps:

  1. Client Initialization: Client is configured with OAuth parameters
  2. Token Request: Client requests access token from OAuth provider
  3. Token Validation: OAuth provider validates credentials and returns token
  4. Broker Authentication: Client presents token to Kafka broker
  5. Access Control: Broker validates token and grants access

Key benefits:

  • Centralized Identity Management: Use external OAuth/OIDC providers
  • Token-Based Authentication: Configurable token lifetimes
  • No Credential Distribution: No need to distribute long-lived credentials
  • Fine-Grained Access Control: Support for scoped permissions

Configuration examples

Basic OAuth configuration:

# Common OAuth configuration
sasl.mechanism=OAUTHBEARER
sasl.oauth.token.endpoint.uri=https://your-oauth-provider.com/oauth2/token
sasl.oauth.client.id=your-client-id
sasl.oauth.client.secret=your-client-secret
sasl.oauth.scope=kafka:read kafka:write
sasl.oauth.logical.cluster=lkc-xxxxx
sasl.oauth.identity.pool.id=pool-xxxxx

Environment-specific configuration:

# Development environment
sasl.oauth.token.endpoint.uri=https://dev-auth.example.com/oauth2/token
sasl.oauth.client.id=dev-kafka-client
sasl.oauth.scope=kafka:dev

# Production environment
sasl.oauth.token.endpoint.uri=https://prod-auth.example.com/oauth2/token
sasl.oauth.client.id=prod-kafka-client
sasl.oauth.scope=kafka:prod

Error handling

Implement proper error handling for OAuth authentication:

  • Network Failures: Handle connection timeouts and retry with exponential backoff
  • Authentication Failures: Validate credentials and token endpoint URLs
  • Token Expiration: Implement token refresh logic
  • Configuration Errors: Validate all required parameters

Best practices

  • Security: Store credentials securely using environment variables or secret management
  • Monitoring: Implement logging and monitoring for OAuth authentication
  • Testing: Use mock OAuth servers for integration testing
  • Documentation: Maintain clear configuration documentation for your team

Related content