Access Kafka REST APIs with an OAuth-OIDC identity provider on Confluent Cloud

You can use an OAuth-OIDC identity provider to access Kafka REST APIs in Confluent Cloud. Using OAuth 2.0 provides third-party services to exchange your information without having to share passwords.

Prerequisites

You have created an OAuth-OIDC identity provider and identity pool for use accessing Kafka REST APIs. For more information, see Add an OAuth/OIDC Identity Provider on Confluent Cloud.

You can use claims (such as aud, scp, or others) in an identity pool filter to restrict access for specific purposes or operations.

Use the Kafka REST API with your identity provider

To use the Kafka REST API with your identity provider:

1. Fetch an OAuth access token from your OAuth/OIDC identity provider.

   The following example uses the curl --request command to get the access token from an Okta identity provider.

   curl --request POST --url https://dev-632532.okta.com/oauth2/aus1z43fvcbY2sQV84y6/v1/token \
     --header 'accept: application/json' \
     --header 'authorization: Basic MG9hNm0wZ213Y2lvVmtsdHI0eDc6dXpmNH5iRExTR5ExTVllaUVYMHdHUTVmR3U0bmY0VDlscUNQVmlVeQ==' \
     --header 'content-type: application/x-www-form-urlencoded' \
     --data 'grant_type=client_credentials&scope=my-scope'
   

   For Microsoft Entra ID, here’s an example of generating an access token using your Microsoft Entra ID identity provider:

   curl --request POST --url https://login.microsoftonline.com/e13n8hf4-nj0c-8po1-m0g8-0mke8f3111d5j/oauth2/v2.0/token \
     --header 'content-type: application/x-www-form-urlencoded' \
     --data 'client_id=7df2s309-erdp-0927-v203-p0e4df7409d5&scope=api://7df2s309-erdp-0927-v203-p0e4df7409d5/.default&client_secret=0Ec82@3dfafesQljc-9kzNf1De210nJasWPw2&grant_type=client_credentials'
   

2. Use the generated access token as the jwt_token for Kafka REST API authentication.

   Note that the Confluent-Identity-Pool-Id header is optional. If omitted, Confluent Cloud automatically maps one or more OAuth identity pools based on the filters that evaluate true given the token’s claim values. For more information about auto pool mapping, see Use auto pool mapping with OAuth identity pools.

   The following example uses a curl --request command to create a topic.

   curl \
     -X POST \
     -H "Content-Type: application/json" \
     -H "Confluent-Identity-Pool-Id: pool-gtoK" \
     -H "Authorization: Bearer jwt_token" \
     https://pkc-82o1z4.us-west-2.aws.confluent.cloud:443/kafka/v3/clusters/lkc-zj12906/topics \
     -d '{"topic_name":"topic-2"}'