Use OAuth Identity Pools with Your OAuth/OIDC Identity Provider on Confluent Cloud¶
You can use an OAuth identity pool to provide granular control over access of your applications to your Confluent Cloud resources. An OAuth identity pool is a group of external application identities that are assigned a certain level of access based on a claims-based policy. The use of the OAuth identity pool is defined by the pool filter expression. Access is controlled using role-based access control (RBAC) or access control lists (ACLs).
To create an OAuth identity pool to map access to your OAuth/OIDC identity provider, click Add identity pool and follow the steps in Add an OAuth identity pool.
To use the Confluent Cloud APIs to create, read, update, list, and delete OAuth identity pools, see Identity Pools (iam/v2).
Add an OAuth identity pool¶
Required RBAC roles:
Before you can use the OAuth 2.0 identity provider that you created in Add an identity provider using Confluent Cloud Console, you need to configure an OAuth identity pool to be used with that identity provider.
To create an OAuth identity pool to use with your OAuth/OIDC identity provider:
In Confluent Cloud Console, go to the Workload identities tab under Accounts & access at https://confluent.cloud/settings/org/workload_identities.
Alternatively, you can open the Confluent Cloud Console at https://confluent.cloud, open the sidebar menu, click Accounts & access, and then click Workload identities.
Click Workload identities and then click the OAuth/OIDC identity provider that you want to use to create the OAuth identity pool.
The identity provider’s details page appears.
Click Add pool.
The New identity pool page appears.
Under Create your identity pool, enter the following information:
- Name – Enter the name for your OAuth identity pool.
- Description – Enter meaningful information for using and managing your OAuth identity pool.
Under Add identity pool owner, grant the ResourceOwner role to the account that owns the OAuth identity pool. This account can manage, edit, and delete this account.
- Account type: Select the account type that owns the OAuth identity pool.
- Account: Select the account that owns the OAuth identity pool. This value appears in the audit log records.
The account that owns the identity pool can manage, edit, and delete the identity pool. Note that if you do not specify an account, only OrganizationAdmin and AccountAdmin roles can manage the account after creation.
Under Add identity claim, enter the name of the claim from which to extract the identity name.
The default value is
claims.sub(subject). For details about the “claims.sub” claim, see JSON Web Token (JWT) [RFC 7519]: Section 4.1.2.If required, you can enter an email claim or your own custom claim.
Under Set filters (required), set filters that require specific certificate metadata values.
To set up filters, follow the steps in Set OAuth identity pool filters.
If you are not specifying filters, continue below the following section.
Set OAuth identity pool filters¶
Use OAuth identity pool filters to specify which identities can authenticate using your OAuth identity pool. You must create at least one filter for each OAuth identity pool.
To create an OAuth identity pool filter, use the Common Expression Language (CEL) (summarized in the following table) to enter the required formulas.
Supported Common Expression Language (CEL) filters¶
The following table summarizes the supported CEL filters.
- All token fields used in filter definitions must be prefixed with
claims..
- _ For development purposes, you can temporarily set the filter to
true - to allow all identities with a valid token to authenticate.
| Use case | CEL expression |
|---|---|
| Equality | claims.iss == "google" |
| Inclusion | claims.appid in ["abc", "xyz"] |
!(claims.appid in ["abc", "xyz"]) |
|
'administrators' in claims.groups |
|
!('administrators' in claims.groups) |
|
| Presence check | has(claims.iss) |
!has(claims.iss) |
|
| Prefix matching | claims.principal.startsWith("user") |
| Suffix matching | claims.principal.endsWith("user") |
For more complex rules, use the following operators:
| Use case | Operator precedence | CEL expression |
|---|---|---|
| Logical NOT | 1 | !(claims.iss == "google") |
| Logical AND | 2 | claims.iss == "google" && claims.principal == "userA" |
| Logical OR | 3 | claims.iss == "google" || claims.principal == "userA" |
The rules can be grouped into parentheses, like this: Expression && ( Expression || Expression )
Click Next.
The Add roles section appears.
To control access to resources using your OAuth identity pool, complete the Add Roles section:
- Roles – Select a resource to manage access for it, then specify the RBAC role using the dropdown list. You can optionally delete a role assignment or add an additional role. For details on the RBAC roles, see Predefined RBAC Roles on Confluent Cloud.
- ACLs, if required, can be managed using the Confluent CLI or Confluent Cloud APIs. For details, see Use Access Control Lists (ACLs) on Confluent Cloud.
Click Next.
Review your OAuth identity pool settings, access delegation summary, and resource access summary, and then click Create identity pool.
You have successfully added an OAuth identity pool to your Confluent Cloud identity provider and can now use your new OAuth identity pool to control access based on the policies specified.