Use the AuthenticationHandler Class for Multi-Protocol Authentication in Confluent Platform

Starting with Confluent Platform 7.7, a new handler class, AuthenticationHandler, is available only for REST-based services, including Schema Registry, Kafka REST, and Connect.

The AuthenticationHandler handler class is designed to accept:

  • Identity provider (IdP) OAuth tokens
  • Confluent OAuth tokens provisioned by MDS
  • HTTP Basic Authentication
  • HTTP Basic Authentication using LDAP usernames and passwords
  • Mutual TLS (mTLS) certificates

By accepting multiple authentication mechanisms, the AuthenticationHandler handler enables REST-based services in Confluent Platform to:

  • Upgrade from existing non-OAuth authentication mechanisms to support OAuth authentication without any downtime.
  • Simultaneously support multiple protocols based on your application requirements.

The AuthenticationHandler can simultaneously handle requests from:

  • Existing legacy clients that use:
    • LDAP usernames and passwords
    • MDS tokens
  • New clients that use:
    • OAuth tokens
    • Mutual TLS (mTLS) certificates
    • Both OAuth tokens and mTLS certificates

The AuthenticationHandler class can also provision metrics for each of the different authentication types.

Example of multi-protocol authentication in Confluent Platform

The diagram below illustrates an example of how the AuthenticationHandler class in Confluent Platform allows for flexible authentication for REST-based services by accepting multiple authentication mechanisms. Note the following:

  • The AuthenticationHandler class authenticates requests from multiple protocols, in this example, OAuth 2.0 and mTLS.
  • Application Client 1 and 2 use OAuth 2.0 to authenticate with the Confluent Platform services. The AuthenticationHandler class processes the OAuth tokens, verifies them, and provides access based on their validity, and the permissions granted.
  • Application Client 3 uses mTLS to authenticate with the Confluent Platform services. In this setup, both the client and server authenticate each other using certificates. The AuthenticationHandler class verifies the client certificates, ensuring both the client and server are trusted entities.
The AuthenticationHandler class authenticates requests from multiple protocols.

Use the AuthenticationHandler class

You can use the AuthenticationHandler class for multi-protocol authentication in your Confluent Platform cluster by adding the following property:

rest.servlet.initializor.classes

Configuration examples

Following are examples of how to configure the AuthenticationHandler class for supported authentication mechanisms. Adjust the property values according to your specific environment and requirements.

Identity provider (IdP) OAuth tokens

To configure the AuthenticationHandler for IdP OAuth tokens:

rest.servlet.initializor.classes=io.confluent.rest.auth.security.AuthenticationHandler
authentication.method=OAUTH
oauth.jwks.endpoint.url=https://your-idp.com/.well-known/jwks.json
oauth.valid.issuer=https://your-idp.com
oauth.expected.audience=your-audience

Confluent OAuth tokens

For Confluent OAuth tokens from Confluent Cloud:

rest.servlet.initializor.classes=io.confluent.rest.auth.security.AuthenticationHandler
authentication.method=OAUTH
oauth.jwks.endpoint.url=https://confluent.cloud/.well-known/jwks.json
oauth.valid.issuer=https://confluent.cloud
oauth.expected.audience=your-confluent-cloud-audience

HTTP Basic Authentication

To use HTTP Basic Authentication:

rest.servlet.initializor.classes=io.confluent.rest.auth.security.AuthenticationHandler
authentication.method=BASIC
basic.auth.user.info=user1:password1,user2:password2

HTTP Basic Authentication using LDAP usernames and passwords

For HTTP Basic Authentication with LDAP:

rest.servlet.initializor.classes=io.confluent.rest.auth.security.AuthenticationHandler
authentication.method=BASIC
basic.auth.ldap.url=ldap://your-ldap-server:389
basic.auth.ldap.user.base.dn=ou=users,dc=example,dc=com

mTLS

To configure mTLS:

rest.servlet.initializor.classes=io.confluent.rest.auth.security.AuthenticationHandler
authentication.method=TLS
ssl.client.auth=required
ssl.truststore.location=/path/to/truststore.jks
ssl.truststore.password=truststore-password
ssl.keystore.location=/path/to/keystore.jks
ssl.keystore.password=keystore-password

Monitoring authentication

It’s useful to get the monitoring data of authentication requests, their success rates, and associated latencies. You can enable monitoring of authentication through the AuthenticationHandler. This class generates metrics for the different Confluent Platform authentication mechanisms, OAuth, mTLS, basic, and MDS over OAuth.

To enable monitoring, set this property in the Confluent REST Proxy service:

rest.auth.jmx.enabled=true

You should begin to see metrics similar to the following:

Total successful auth requests
Total unsuccessful auth requests
Latency in successful auth request ( sampled )
Latency in un successful auth request (sampled )
Average latency of successful auth requests ( ms )
Max latency of successful auth requests (ms).
99 percentile of latency for successful auth requests (ms)
95 percentile of latency for successful auth requests (ms)

Confluent Platform uses JMX (Java Management Extensions) for exposing metrics from various services, including the Confluent REST Proxy. This allows you to monitor with Confluent Control Center or external tools like JConsole, Prometheus, and Grafana. For more information using these tools with Confluent Platform, see Monitor Consumer Lag in Confluent Platform.