Configure Confluent Control Center for OAuth Authentication in Confluent Platform

Use the following configurations to secure and authenticate Confluent Control Center within your Confluent Platform deployments.

Configure Confluent Control Center as MDS OAuth client

To configure Confluent Control Center to get OAuth authentication tokens, add the following configuration settings, replacing <url>, <client-id>, and <client-secret> with your actual values:

confluent.metadata.oauthbearer.token.endpoint.url=<url>
confluent.metadata.oauthbearer.login.client.id=<client-id>
confluent.metadata.oauthbearer.login.client.secret=<client-secret>

These are the minimal configurations that are required.

For interactions between Confluent Control Center and your identity provider, you can add the following optional configuration settings:

confluent.metadata.oauthbearer.login.connect.timeout.ms
confluent.metadata.oauthbearer.login.read.timeout.ms
confluent.metadata.oauthbearer.login.retry.backoff.max.ms
confluent.metadata.oauthbearer.login.retry.backoff.ms

Confluent Control Center as a Kafka client

When using Confluent Control Center as a Kafka client, you need to configure it with the appropriate settings to ensure secure and authenticated communication with your Confluent Platform clusters.

To enable OAuth authentication for the Confluent Control Center client, follow these steps:

  1. Specify the SASL mechanism as OAUTHBEARER.

    confluent.controlcenter.kafka.sasl.mechanism=OAUTHBEARER
    
  2. Add the JAAS configuration with your specific client credentials and scope, replacing <client-id>, <client-secret>, and <scope> with your actual values.

    confluent.controlcenter.kafka.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
      clientId="<client-id>" \
      clientSecret="<client-secret>" \
      scope="<scope>";