Configure OAuth Authentication using SASL/OAUTHBEARER

Note

Early Access Program for OAuth Support

OAuth support for Confluent Platform is currently available in an Early Access Program. An Early Access Program feature is a component of Confluent Platform introduced to gain feedback. This feature should be used only for evaluation and non-production testing purposes or to provide feedback to Confluent.

Early Access Program features are intended for evaluation use in development and testing environments only, and not for production use. The warranty and Support Services provisions of your agreement with Confluent do not apply to Early Access Program features. Confluent may discontinue providing preview releases of the Early Access Program features at any time at Confluent’s sole discretion.

Overview

OAuth 2.0 support for Confluent Platform lets you “Bring Your Own Identity” to Confluent Platform, leveraging your identity provider (IdP) to authenticate users and client applications. OAuth 2.0 provides a more secure and convenient way to grant access to your Confluent Cloud resources for your users and client applicaitions. OAuth 2.0 is an open standard for authorization that enables third-party applications to obtain limited access to web services. Auth 2.0 also provides authorization flows for web and desktop applications, and mobile devices.

Confluent Server OAuth support

OAuth support for Confluent Platform provides the following benefits:

  • LDAP independence for Confluent Server RBAC
  • OAuth support for MDS REST APIs. If you have OAuth-OIDC JWTs, you can use the MDS REST APIs directly for administrative operations using OAuth.
  • Support for migration and upgrade scenarios to enable client authentication and authorization with both OAuth as well as LDAP/mTLS, etc.
  • Token-based group management for RBAC where OAuth-OIDC JWTs serve as the source of groups.
  • Client applications, like producers and consumers, can use OAuth-OIDC JWTs to authenticate and authorize to the Confluent Server.
  • In addition to the OAuth support described in KIP-768, Confluent Platform supports OAuth for enterprise features, like RBAC and group authorization.
  • You can Bring Your Own Identity (IdP) to Confluent Server with OAuth support.

Limitations

The following limitations apply to OAuth support for Confluent Platform during the Early Access Program:

  • OAuth support for Confluent Platform is available in Confluent Platform 7.6 as an Early Access feature. that provides a minimal Confluent Platform configuration (consisting of a Kafka broker and MDS), which lets you build applications that effortlessly produce and consume data through Kafka brokers, with RBAC authorization managed by MDS.
  • Ansible and CFK support for orchestration and management is currently unavailable.

Configure Kafka brokers

To use OAuth authentication with Confluent Platform, you must configure Kafka brokers with a SASL/OAUTHBEARER listener.

  • You can use the OIDC discovery endpoint to get the values for your IdP’s JWKS URI <idp-jwks-endpoint>, token endpoint (<idp-token-endpoint>), and other values. Typically, the OIDC discovery endpoint is located at https://<idp-domain>/.well-known/openid-configuration.
  • Verify if the claim value for groups is compatible with the token configuration in your identity provider.

The following example shows how to configure Kafka brokers with a SASL/OAUTHBEARER listener. Replace the values in angle brackets with the values for your IdP.

# Configuring a new listener
listeners=..,EXTERNAL://:9095
advertised.listeners=..,EXTERNAL://<host>:9095
listener.security.protocol.map=...,EXTERNAL:SASL_PLAINTEXT

# Adding OAuth to the Kafka listener
listener.name.external.sasl.enabled.mechanisms=OAUTHBEARER
listener.name.external.sasl.oauthbearer.jwks.endpoint.url=https://my-good-idp.com/oauth2/keys
listener.name.external.sasl.oauthbearer.expected.audience=api://default
listener.name.external.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;
listener.name.external.oauthbearer.sasl.server.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler
listener.name.external.principal.builder.class=io.confluent.kafka.security.authenticator.OAuthKafkaPrincipalBuilder
confluent.oauth.groups.claim.name=groups

Optionally, you can use the SASL/OAUTHBEARER listener as the interbroker listener, using the following configuration:

inter.broker.listener.name=EXTERNAL
sasl.mechanism.inter.broker.protocol=OAUTHBEARER
listener.name.external.sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
listener.name.external.sasl.oauthbearer.token.endpoint.url=<idp-token-endpoint>
listener.name.external.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
      clientId="<client-id>" \
      clientSecret="<client-secret>"
      scope="<scope>"; # scope is optional

When you use SASL/OAUTHBEARER as the interbroker listener, ensure that the principal in the authentication token of the client serves as the superuser. To do this, add the following configuration:

super.users= ...;User:<sub_claim_value>   # usually User:<client-id>

Configure for KRaft mode

When you use Confluent Platform in KRaft mode, you must add the following configuration to the Kafka controller for group-based authorization to work:

listener.name.external.principal.builder.class=io.confluent.kafka.security.authenticator.OAuthKafkaPrincipalBuilder
confluent.oauth.groups.claim.name=groups

Configure Kafka clients

To use OAuth authentication with Confluent Platform, you must configure Kafka clients with the following properties:

sasl.mechanism=OAUTHBEARER
security.protocol=SASL_PLAINTEXT
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
sasl.login.connect.timeout.ms=15000 # optional
sasl.oauthbearer.token.endpoint.url=<idp-token-endpoint>
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
  clientId="<client-id>" \
  clientSecret="<client-secret>"
  scope="<scope>"; # optional
  • Scope is optional, but is required when your identity provider does not have a default scope or your groups claim is linked to a scope.

Configure Kafka console consumer clients

Client configurations are passed in the client properties file. To use OAuth authentication with Kafka console consumer clients, you must add the following properties to your clients:

./bin/kafka-console-consumer \
  --bootstrap-server <host>:9095 \
  --topic purchases \
  --consumer.config oauth-client.properties

Configure MDS for OAuth support

Similar to your Kafka broker configurations, the following settings are required to enable IdP-issued OAuth token validation in MDS. For details on these configurations, see configurations for supporting IdP tokens in MDS.

confluent.metadata.server.user.store=OAUTH
confluent.metadata.server.oauthbearer.jwks.endpoint.url=<idp-jwks-endpoint>
confluent.metadata.server.oauthbearer.expected.issuer=<idp-issuer>
confluent.metadata.server.oauthbearer.expected.audience=Confluent,api://default,https://my-company.com
confluent.metadata.server.oauthbearer.sub.claim.name=sub
confluent.metadata.server.oauthbearer.groups.claim.name=groups
  • Group claims are included by default — you need to verify if the claim value for groups is compatible with the token configuration in your identity provider.

Configure MDS for TLS

If your identity provider uses a self-signed certificate and not one from a CA authority, you must add the identity provider’s TLS certificate to the MDS truststore. To reload the truststore with the TLS certificate, you must restart Confluent Server (confluent-server). For details, .. see Add the identity provider TLS certificates to the MDS truststore.

For development environments, you can use http (instead of https) to connect to your identity provider. For production environments, you should use an https URL in your configurations.

Configure MDS to enable OAuth without LDAP

Basic authentication (username:password) is not supported in this case. To interact with MDS requires a token from your identity provider.

confluent.metadata.server.user.store=OAUTH

Configure MDS to enable OAuth with LDAP

You can configure MDS to enable OAuth support without removing LDAP. This is mainly useful for client migration scenarios, and should be removed after migration.

confluent.metadata.server.user.store=LDAP_WITH_OAUTH

Add groups in identity providers

Depending on your identity provider, you might need to add groups to the token claims.

Applications cannot be added to user group in Okta. However, Okta provides an application profile that you can use as an identity attribute in an access token.

This operation cannot be performed using the Okta UI, but is available using their APIs. Here is a sample cURL request to create an application:

curl --location 'https://my-org.okta.com/api/v1/apps' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS <token>' \
--data '{
      "name": "oidc_client",
      "label": "Sales Producer Application",
      "signOnMode": "OPENID_CONNECT",
      "credentials": {
        "oauthClient": {
          "token_endpoint_auth_method": "client_secret_post"
        }
      },
      "profile": {
        "groups": ["ads", "fb-ads", "marketing-team"]
        },
      "settings": {
        "oauthClient": {
          "client_uri": null,
          "logo_uri": null,
          "response_types": [
            "token"
          ],
          "grant_types": [
            "client_credentials"
          ],
          "application_type": "service",
          "consent_method": "REQUIRED",
          "issuer_mode": "ORG_URL"
        }
      }
    }'

In the above example, the profile attribute is used to add groups to the token claims. The groups attribute is an array of groups that you want to add to the token claims. In this example, three groups called “ads”, “fb-ads”, and “marketing-team” are added to profile of “Sales Producer Application”. For more information, see Add application in the Okta documentation.

To configure the claim in the Okta UI, go to Security → API → <your-authorization-server> → Claims and enter the claim name (groups) and your own expression for the value (for example, app.profile.groups).