Configure Kafka Clients for OAuth 2.0 Authentication in Confluent Cloud

OAuth 2.0 is a robust, token-based authentication framework that allows you to provide secure, delegated access to your Confluent Cloud resources without sharing long-lived credentials. By integrating with an external OAuth/OIDC identity provider, you can centralize identity management and leverage fine-grained access control for your Kafka clients.

This guide provides comprehensive instructions for configuring various client types to connect to Confluent Cloud using OAuth authentication. You will find common configuration parameters, examples, and best practices for Java, Python, .NET, Go, and JavaScript clients.

Prerequisites

Before configuring OAuth authentication, ensure you have:

• Confluent Cloud account: Active Confluent Cloud account with OAuth enabled

• OAuth identity provider: Configured OAuth/OIDC identity provider

• Client credentials: OAuth client ID and secret from your identity provider

• Cluster information: Logical cluster ID and identity pool ID from Confluent Cloud

Supported client types

Confluent Cloud supports OAuth authentication for the following client types:

Java clients

• Apache Kafka® client 4.0.0 or later

• Confluent Platform 7.2.1 or later; 7.1.3 or later

• Schema Registry Java clients

Python clients

• confluent-kafka-python 2.0.0 or later

• Python 3.7 or later

.NET clients

• Confluent.Kafka 2.0.0 or later

• .NET Framework 4.6.1 or later or .NET Core 2.1 or later

Go clients

• confluent-kafka-go 2.0.0 or later

• Go 1.16 or later

• librdkafka 1.9.2 or later

JavaScript clients

• Schema Registry JavaScript clients

• Node.js 14 or later

C/C++ clients

C/C++ Kafka clients (librdkafka-based) and C++ Schema Registry clients (libschemaregistry) do not yet support OAuth. Use API key and secret authentication. For Schema Registry configuration guidance, see Schema Registry C++ Client (libschemaregistry).

Common configuration parameters

All OAuth client configurations require these common parameters:

Parameter	Description	Default	Required
sasl.mechanism	SASL mechanism for OAuth authentication	OAUTHBEARER	Yes
sasl.oauth.token.endpoint.uri	OAuth token endpoint URL	None	Yes
sasl.oauth.client.id	OAuth client ID	None	Yes
sasl.oauth.client.secret	OAuth client secret	None	Yes
sasl.oauth.scope	OAuth scopes for token request	None	No
sasl.oauth.logical.cluster	Logical cluster ID for Confluent Cloud	None	Yes
sasl.oauth.identity.pool.id	Identity pool ID for Confluent Cloud	None	No

Authentication flow

Note

For the end-to-end OAuth/OIDC authentication flow and core concepts in Confluent Cloud, see Use OAuth/OIDC to Authenticate to Confluent Cloud and Core OAuth concepts. This page focuses on per-client configuration.

Configuration examples

Basic OAuth configuration:

# Common OAuth configuration
sasl.mechanism=OAUTHBEARER
sasl.oauth.token.endpoint.uri=https://your-oauth-provider.com/oauth2/token
sasl.oauth.client.id=your-client-id
sasl.oauth.client.secret=your-client-secret
sasl.oauth.scope=kafka:read kafka:write
sasl.oauth.logical.cluster=lkc-xxxxx
sasl.oauth.identity.pool.id=pool-xxxxx

Environment-specific configuration:

# Development environment
sasl.oauth.token.endpoint.uri=https://dev-auth.example.com/oauth2/token
sasl.oauth.client.id=dev-kafka-client
sasl.oauth.scope=kafka:dev

# Production environment
sasl.oauth.token.endpoint.uri=https://prod-auth.example.com/oauth2/token
sasl.oauth.client.id=prod-kafka-client
sasl.oauth.scope=kafka:prod

Error handling

Implement proper error handling for OAuth authentication:

• Network Failures: Handle connection timeouts and retry with exponential backoff

• Authentication Failures: Validate credentials and token endpoint URLs

• Token Expiration: Implement token refresh logic

• Configuration Errors: Validate all required parameters

Best practices

• Security: Store credentials securely using environment variables or secret management

• Monitoring: Implement logging and monitoring for OAuth authentication

• Testing: Use mock OAuth servers for integration testing

• Documentation: Maintain clear configuration documentation for your team

Next steps

Choose your client type for detailed configuration instructions:

• Java Clients: Configure Java Clients for OAuth/OIDC on Confluent Cloud

• Python Clients: Configure Python Clients for OAuth/OIDC on Confluent Cloud

• .NET Clients: Configure .NET Clients for OAuth/OIDC on Confluent Cloud

• Go Clients: Configure Go Clients for OAuth/OIDC on Confluent Cloud

• JavaScript Clients: Configure JavaScript Clients for OAuth/OIDC on Confluent Cloud

Related content

• OAuth Configuration Reference for Confluent Cloud Clients

• Troubleshoot OAuth/OIDC Issues on Confluent Cloud

• Best Practices for OAuth/OIDC Identity Providers on Confluent Cloud