Configure OAuth for Schema Registry in Confluent Platform

Starting with Confluent Platform version 7.7, the Schema Registry server can be configured for Open Authentication (OAuth) to secure its services. The following sections cover configurations to implement OAuth for Schema Registry that may be required on the Kafka broker, Schema Registry server, and Schema Registry clients, depending upon your use case.

Configure the Kafka broker to connect to Schema Registry

In cases where broker-side schema validation is enabled on topics, the Kafka Broker attempts to connect to Schema Registry. Provide the following configurations in the broker properties file to allow the broker to connect to Schema Registry for validation. For example, if using KRaft, you would configure this in one of $CONFLUENT_HOME/etc/kafka/broker.properties, controller.properties, or server.properties, depending on your KRaft setup.

If role-based access control (RBAC) is enabled, the principal defined here should have appropriate permissions.

# Schema registry configurations
confluent.schema.registry.url=<your-schema-registry-URL>
# If Broker validation is enabled for topics
confluent.bearer.auth.credentials.source=OAUTHBEARER
confluent.bearer.auth.issuer.endpoint.url=<token-end-point>
confluent.bearer.auth.client.id=<client-id>
confluent.bearer.auth.client.secret=<client-secret>

Tip

The above configurations are only required when the Schema Registry itself has server-side OAuth. When the broker has OAuth and Schema Registry has Basic Authentication, then confluent.basic.auth.credentials.source is used for Schema Registry validation. To learn more about Basic Authentication, see Schema Registry in the Security documentation for authenticating using HTTP Basic Authentication.

Enable OAuth on the Schema Registry server

Configure the following properties in the Schema Registry properties file to specify OAuth requirements for clients connecting to the Schema Registry server (for example, $CONFLUENT_HOME/etc/schema-registry/schema-registry.properties).

rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.AuthenticationHandler
oauthbearer.jwks.endpoint.url=https://my-good-idp.com/oauth2/keys
oauthbearer.expected.issuer=<idp-issuer>
oauthbearer.expected.audience=<target-audience>
oauthbearer.sub.claim.name=<sub-claim-name>
oauthbearer.groups.claim.name=<groups-claim-name>

Tip

  • The URL shown as the value for oauthbearer.jwks.endpoint.url is a generic example. This should be the URL that points to your OAuth server and keys.
  • The default value for the optional oauthbearer.sub.claim.name is sub.
  • The default value for the optional oauthbearer.groups.claim.name is groups.

Configure OAuth on the Schema Registry client

If OAuth is enabled on the Schema Registry server, Schema Registry clients must be configured appropriately. In Confluent Platform 7.7 and newer versions, the Schema Registry can be configured for OAuth as well as LDAP. Therefore, the Schema Registry can support scenarios where one Schema Registry client uses LDAP Basic Authentication to connect to Schema Registry whereas another client might use the OAuth configurations and workflow to connect to same Schema Registry server.

Schema Registry clients can have an explicit configuration to talk to Schema Registry server over OAuth, as shown in this example.

bearer.auth.credentials.source=OAUTHBEARER
bearer.auth.issuer.endpoint.url=<idp-token-end-point>
bearer.auth.client.id=<client-id>
bearer.auth.client.secret=<client-secret>
bearer.auth.scope=<groups>

Alternatively, a Schema Registry client can reuse the configurations used to connect to Kafka broker. In this case, the properties related to “endpoint” and “client” are inherited from the Kafka client and are optional. However, if the properties are provided in the client configuration, they take higher precedence.

bearer.auth.credentials.source=SASL_OAUTHBEARER_INHERIT
# Configs below are optional
bearer.auth.issuer.endpoint.url=<idp-token-end-point>
bearer.auth.client.id=<client-id>
bearer.auth.client.secret=<client-secret>
bearer.auth.scope=<groups>

For details on each of these configuration options, see the Configuration Reference for Schema Registry Clients on Confluent Platform.

To learn more about configuring clients with Basic Authentication, see Schema Registry in the Security documentation for authenticating using HTTP Basic Authentication.