Add an OAuth/OIDC Identity Provider for Confluent Cloud

You can configure an OAuth/OIDC identity provider in Confluent Cloud to grant workloads and applications limited access to Confluent Cloud resources and Confluent Cloud APIs. A Confluent Cloud OAuth/OIDC identity provider uses the industry standard OAuth 2.0 and OpenID Connect (OIDC) protocols to establish trust with Confluent Cloud resources, reduce operational burdens, and grant programmatic access to Confluent Cloud APIs for your workloads and applications.

Note

OAuth/OIDC identity providers cannot currently authenticate Confluent Cloud user accounts. For your Confluent Cloud users, you can use a SAML-based single sign-on (SSO) identity provider.

To use the Confluent Cloud APIs to create, read, update, list, and delete identity providers, see Identity Providers (iam/v2).

Add an identity provider using Confluent Cloud Console

Required RBAC roles: OrganizationAdmin

Important

Before you add a new identity provider, review Best Practices for OAuth Identity Providers.

You can use the Confluent Cloud Console to configure an OAuth 2.0 identity provider with one of the following options:

To configure an OAuth 2.0 identity provider:

  1. In Confluent Cloud Console, go to the Identity providers tab under Accounts & access at http://confluent.cloud/settings/org/identity_providers.

  2. Click Add identity providers.

  3. Select the OIDC identity provider type and click Next.

  4. Click Azure AD, Okta or Other OIDC identity provider and complete the fields.

    Name

    Enter a meaningful name for your Azure AD identity provider.

    Description

    Enter meaningful information for using and managing this provider.

    Tenant ID

    Enter the tenant identifier.

    Import from OIDC Discovery URL

    Click to import metadata required to configure your OIDC provider. This option adds the OIDC Discovery URL and automatically fills the JWKS URI and Issuer URI fields.

    JWKS URI

    Enter the URI for JSON Web Key Set (JWKS).

    JSON Web Key Sets (JWKS) provides a set of keys containing the public keys used to verify any JSON Web Token (JWT) issued by your Azure AD identity provider.

    Example: https://login.microsoftonline.com/common/discovery/v2.0/keys

    Issuer URI

    Enter the issuer URI for your Azure AD authorization server.

    The unique issuer URI represents a string that represents the entity for issuing tokens.

    Example: https://login.microsoftonline.com/{tenant_id}/v2.0

    Important

    To use your Azure identity provider created here, you must also edit your Azure application manifest to set the accessTokenAcceptedVersion attribute to 2 to use the v2 token instead of the default legacy v1 token. For example, add the following line to your manifest:

    "accessTokenAcceptedVersion": 2
    

    For details, follow the steps in Configure the application manifest.

  5. Click Validate and save. The Accounts & access page appears, displaying the Identity providers tab.

  6. Click on your new identity provider. A details page appears, showing a summary listing of your identity provider name, description, issuer URI, and JWKS URI.

You have successfully created your identity provider, but you need to set up an identity pool to use your new identity provider.