Add an OAuth-OIDC Identity Provider for Confluent Cloud¶
You can configure an OAuth-OIDC identity provider in Confluent Cloud to grant workloads and applications limited access to Confluent Cloud resources and Confluent Cloud APIs. A Confluent Cloud OAuth-OIDC identity provider uses the industry standard OAuth 2.0 and OpenID Connect (OIDC) protocols to establish trust with Confluent Cloud resources, reduce operational burdens, and grant programmatic access to Confluent Cloud APIs for your workloads and applications.
Note
OAuth-OIDC identity providers cannot currently authenticate Confluent Cloud user accounts. For your Confluent Cloud users, you can use a SAML-based single sign-on (SSO) identity provider.
To use the Confluent Cloud APIs to create, read, update, list, and delete identity providers, see Identity Providers (iam/v2).
Add an identity provider using Confluent Cloud Console¶
Required RBAC roles: OrganizationAdmin
Important
Before you add a new identity provider, review Best Practices for OAuth Identity Providers.
Prerequisites¶
- You must have an account in the identity provider you want to use.
- You must have an account in Confluent Cloud with the OrganizationAdmin role.
- You need the following information for your identity provider:
- OIDC Discovery URL: Obtain this URL from your identity provider to import metadata required to configure your OIDC provider. Using this option automatically provides the JWKS URI and the Issuer URI information.
- Without the OIDC Discovery URL, you need the following information:
- Azure AD: Tenant ID, JWKS URI, and Issuer URI.
- Okta: Authorization server, domain, JWKS URI, and Issuer URI.
- Other OIDC identity provider: JWKS URI, and Issuer URI.
- If your identity provider is behind a firewall, you must add Confluent Cloud public IP addresses to your firewall allowlist. These public IP addresses are used by Confluent Cloud to access your JWKS URI over the internet. To get the available Confluent Cloud public IP addresses, see Verify network access to the JWKS URI.
Configure an OAuth 2.0 identity provider¶
Follow these steps to configure an OAuth 2.0 identity provider using the Confluent Cloud Console.
In Confluent Cloud Console, go to the Workload identities tab under Accounts & access at https://confluent.cloud/settings/org/workload_identities.
Click Add identity providers.
Select the OIDC identity provider type and click Next.
Click Azure AD, Okta or Other OIDC identity provider and complete the fields.
- Name
Enter a meaningful name for your Azure AD identity provider.
- Description
Enter meaningful information for using and managing this provider.
- Tenant ID
Enter the tenant identifier.
- Import from OIDC Discovery URL
Click to import metadata required to configure your OIDC provider. This option adds the OIDC Discovery URL and automatically fills the JWKS URI and Issuer URI fields.
- JWKS URI
Enter the URI for JSON Web Key Set (JWKS).
JSON Web Key Sets (JWKS) provides a set of keys containing the public keys used to verify any JSON Web Token (JWT) issued by your Azure AD identity provider.
Example:
https://login.microsoftonline.com/common/discovery/v2.0/keys- Issuer URI
Enter the issuer URI for your Azure AD authorization server.
The unique issuer URI represents a string that represents the entity for issuing tokens.
Example:
https://login.microsoftonline.com/{tenant_id}/v2.0
Important
To use your Azure identity provider created here, you must also edit your Azure application manifest to set the accessTokenAcceptedVersion attribute to
2to use the v2 token instead of the default legacy v1 token. For example, add the following line to your manifest:"accessTokenAcceptedVersion": 2
For details, follow the steps in Configure the application manifest.
- Name
Enter a meaningful name for your Okta identity provider.
- Description
Enter meaningful information for using and managing this provider.
- Authorization server
Enter the authorization server identifier for your Okta identity provider. The default value is
default, but can be modified.- Domain
Enter the domain. Default value is
{yourDomain}.okta.com. Replace{yourDomain}with your domain name for Okta.- Import from OIDC Discovery URL
Click to import metadata required to configure your OIDC provider. This option adds the OIDC Discovery URL and automatically fills the JWKS URI and Issuer URI fields.
- JWKS URI
Enter the URI for JSON Web Key Set (JWKS).
JSON Web Key Sets (JWKS) provides a set of keys containing the public keys used to verify any JSON Web Token (JWT) issued by your Okta identity provider.
Example:
https://mycompany.okta.com/oauth2/default/v1/keys- Issuer URI
Enter the issuer URI for your Okta identity provider.
The unique issuer URI represents a string that represents the entity for issuing tokens.
Example:
https://mycompany.okta.com/oauth2/default
- Name
Enter a meaningful name for your OAuth identity provider.
- Description
Enter meaningful information for using and managing this provider.
- OIDC Discovery URL
Enter your OIDC Discovery URL.
- Import from OIDC Discovery URL
Click to import metadata required to configure your OIDC provider. This option adds the OIDC Discovery URL and automatically fills the JWKS URI and Issuer URI fields.
- JWKS URI
Enter the URI for JSON Web Key Set (JWKS).
JSON Web Key Sets (JWKS) provides a set of keys containing the public keys used to verify any JSON Web Token (JWT) issued by your OAuth 2.0 identity provider.
- Issuer URI
Enter the issuer URI for your OAuth identity provider.
The unique issuer URI represents a string that represents the entity for issuing tokens.
Click Validate and save. The Accounts & access page appears, displaying the Workload identities tab.
Click on your new identity provider. A details page appears, showing a summary listing of your identity provider name, description, issuer URI, and JWKS URI.
You have successfully created your identity provider, but you need to set up an identity pool to use your new identity provider.