Access Kafka REST APIs with an OAuth-OIDC identity provider on Confluent Cloud

You can use an OAuth-OIDC identity provider to access Kafka REST APIs in Confluent Cloud. Using OAuth 2.0 provides third-party services to exchange your information without having to share passwords.

Prerequisites

You have created an OAuth-OIDC identity provider and identity pool for use accessing Kafka REST APIs. For more information, see Add an OAuth/OIDC Identity Provider on Confluent Cloud.

You can use claims (such as aud, scp, or others) in an identity pool filter to restrict access for specific purposes or operations.

Use the Kafka REST API with your identity provider

To use the Kafka REST API with your identity provider:

  1. Fetch an OAuth access token from your OAuth/OIDC identity provider.

    The following example uses the curl --request command to get the access token from an Okta identity provider.

    curl --request POST --url https://dev-632532.okta.com/oauth2/aus1z43fvcbY2sQV84y6/v1/token \
      --header 'accept: application/json' \
      --header 'authorization: Basic MG9hNm0wZ213Y2lvVmtsdHI0eDc6dXpmNH5iRExTR5ExTVllaUVYMHdHUTVmR3U0bmY0VDlscUNQVmlVeQ==' \
      --header 'content-type: application/x-www-form-urlencoded' \
      --data 'grant_type=client_credentials&scope=my-scope'
    

    For Microsoft Entra ID, here’s an example of generating an access token using your Microsoft Entra ID identity provider:

    curl --request POST --url https://login.microsoftonline.com/e13n8hf4-nj0c-8po1-m0g8-0mke8f3111d5j/oauth2/v2.0/token \
      --header 'content-type: application/x-www-form-urlencoded' \
      --data 'client_id=7df2s309-erdp-0927-v203-p0e4df7409d5&scope=api://7df2s309-erdp-0927-v203-p0e4df7409d5/.default&client_secret=0Ec82@3dfafesQljc-9kzNf1De210nJasWPw2&grant_type=client_credentials'
    
  2. Pass the access token and the identity provider pool ID when accessing REST APIs.

    Note that the Confluent-Identity-Pool-Id header is required when using an identity provider to access the Kafka REST APIs.

    The following example uses a curl --request command to create a topic.

    curl \
      -X POST \
      -H "Content-Type: application/json" \
      -H "Confluent-Identity-Pool-Id: pool-gtoK" \
      -H "Authorization: Bearer jwt_token" \
      https://pkc-82o1z4.us-west-2.aws.confluent.cloud:443/kafka/v3/clusters/lkc-zj12906/topics \
      -d '{"topic_name":"topic-2"}'