Add an OAuth/OIDC Identity Provider on Confluent Cloud

You can configure an OAuth-OIDC identity provider in Confluent Cloud to grant workloads and applications limited access to Confluent Cloud resources and Confluent Cloud APIs. A Confluent Cloud OAuth-OIDC identity provider uses the industry standard OAuth 2.0 and OpenID Connect (OIDC) protocols to establish trust with Confluent Cloud resources, reduce operational burdens, and grant programmatic access to Confluent Cloud APIs for your workloads and applications.

Note

OAuth-OIDC identity providers cannot currently authenticate Confluent Cloud user accounts. For your Confluent Cloud users, you can use a SAML-based single sign-on (SSO) identity provider.

To use the Confluent Cloud APIs to create, read, update, list, and delete identity providers, see Identity Providers (iam/v2).

Add an identity provider using Confluent Cloud Console

Required RBAC roles: OrganizationAdmin

Important

Before you add a new identity provider, review Best Practices for OAuth-OIDC Identity Providers on Confluent Cloud.

Prerequisites

  • You must have an account in the identity provider you want to use.
  • You must have an account in Confluent Cloud with the OrganizationAdmin role.
  • You need the following information for your identity provider:
    • OIDC Discovery URL: Obtain this URL from your identity provider to import metadata required to configure your OIDC provider. Using this option automatically provides the JWKS URI and the Issuer URI information.
    • Without the OIDC Discovery URL, you need the following information:
      • Microsoft Entra ID: Tenant ID, JWKS URI, and Issuer URI.
      • Okta: Authorization server, domain, JWKS URI, and Issuer URI.
      • Other OIDC identity provider: JWKS URI, and Issuer URI.
  • If your identity provider is behind a firewall, you must add Confluent Cloud public IP addresses to your firewall allowlist. These public IP addresses are used by Confluent Cloud to access your JWKS URI over the internet. To get the available Confluent Cloud public IP addresses, see Verify network access to the JWKS URI.

Configure an OAuth 2.0 identity provider

Follow these steps to configure an OAuth 2.0 identity provider using the Confluent Cloud Console.

  1. In Confluent Cloud Console, go to the Workload identities tab under Accounts & access at https://confluent.cloud/settings/org/workload_identities.

  2. Click Add identity providers.

  3. Select the OIDC identity provider type and click Next.

  4. Click Microsoft Entra ID, Okta or Other OIDC identity provider and complete the fields.

    Name

    Enter a meaningful name for your Microsoft Entra ID identity provider.

    Description

    Enter meaningful information for using and managing this provider.

    Tenant ID

    Enter the tenant identifier.

    Import from OIDC Discovery URL

    Click to import metadata required to configure your OIDC provider. This option adds the OIDC Discovery URL and automatically fills the JWKS URI and Issuer URI fields.

    JWKS URI

    Enter the URI for JSON Web Key Set (JWKS).

    JSON Web Key Sets (JWKS) provides a set of keys containing the public keys used to verify any JSON Web Token (JWT) issued by your Azure AD identity provider.

    Example: https://login.microsoftonline.com/<tenant_id>/discovery/v2.0/keys

    Issuer URI

    Enter the issuer URI for your Microsoft Entra ID authorization server.

    The unique issuer URI represents a string that represents the entity for issuing tokens.

    Example: https://login.microsoftonline.com/<tenant_id>/v2.0

    Important

    To use your Azure identity provider created here, you must also edit your Azure application manifest to set the accessTokenAcceptedVersion attribute to 2 to use the v2 token instead of the default legacy v1 token. For example, add the following line to your manifest:

    "accessTokenAcceptedVersion": 2
    

    For details, follow the steps in Configure the application manifest.

  5. Click Validate and save. The Accounts & access page appears, displaying the Workload identities tab.

  6. Click on your new identity provider. A details page appears, showing a summary listing of your identity provider name, description, issuer URI, and JWKS URI.

You have successfully created your identity provider, but you need to set up an identity pool to use your new identity provider.