Access Kafka REST APIs with an OAuth-OIDC identity provider on Confluent Cloud¶
You can use an OAuth-OIDC identity provider to access Kafka REST APIs in Confluent Cloud. Using OAuth 2.0 provides third-party services to exchange your information without having to share passwords.
Prerequisites¶
You have created an OAuth-OIDC identity provider and identity pool for use accessing Kafka REST APIs. For more information, see Add an OAuth/OIDC Identity Provider on Confluent Cloud.
You can use claims (such as aud
, scp
, or others) in an
identity pool filter to restrict access for
specific purposes or operations.
Use the Kafka REST API with your identity provider¶
To use the Kafka REST API with your identity provider:
Fetch an OAuth access token from your OAuth/OIDC identity provider.
The following example uses the
curl --request
command to get the access token from an Okta identity provider.curl --request POST --url https://dev-632532.okta.com/oauth2/aus1z43fvcbY2sQV84y6/v1/token \ --header 'accept: application/json' \ --header 'authorization: Basic MG9hNm0wZ213Y2lvVmtsdHI0eDc6dXpmNH5iRExTR5ExTVllaUVYMHdHUTVmR3U0bmY0VDlscUNQVmlVeQ==' \ --header 'content-type: application/x-www-form-urlencoded' \ --data 'grant_type=client_credentials&scope=my-scope'
For Microsoft Entra ID, here’s an example of generating an access token using your Microsoft Entra ID identity provider:
curl --request POST --url https://login.microsoftonline.com/e13n8hf4-nj0c-8po1-m0g8-0mke8f3111d5j/oauth2/v2.0/token \ --header 'content-type: application/x-www-form-urlencoded' \ --data 'client_id=7df2s309-erdp-0927-v203-p0e4df7409d5&scope=api://7df2s309-erdp-0927-v203-p0e4df7409d5/.default&client_secret=0Ec82@3dfafesQljc-9kzNf1De210nJasWPw2&grant_type=client_credentials'
Pass the access token and the identity provider pool ID when accessing REST APIs.
Note that the
Confluent-Identity-Pool-Id
header is required when using an identity provider to access the Kafka REST APIs.The following example uses a
curl --request
command to create a topic.curl \ -X POST \ -H "Content-Type: application/json" \ -H "Confluent-Identity-Pool-Id: pool-gtoK" \ -H "Authorization: Bearer jwt_token" \ https://pkc-82o1z4.us-west-2.aws.confluent.cloud:443/kafka/v3/clusters/lkc-zj12906/topics \ -d '{"topic_name":"topic-2"}'