Configure Confluent Server Brokers for OAuth Authentication in Confluent Platform

The following configurations are for Confluent Server brokers, which are the proprietary Kafka brokers included in Confluent Platform Enterprise.

Configure a listener

Configure a listener with SASL/OAUTHBEARER to use OAuth authentication. In the configurations below, a listener named external is configured for the same.

Note

You can get the values of <idp-jwks-endpoint>, <idp-token-endpoint>, and other parameters from the OIDC discovery endpoint, which is usually the following URL, replacing <YOUR_IDP_DOMAIN> with the actual domain name:

https://<YOUR_IDP_DOMAIN>/.well-known/openid-configuration

Required configuration settings

# Configure a new listener
listeners=..,EXTERNAL://:9095
advertised.listeners=..,EXTERNAL://<host>:9095
listener.security.protocol.map=...,EXTERNAL:SASL_SSL

# Add OAuth to the Kafka listener
listener.name.external.sasl.enabled.mechanisms=OAUTHBEARER
listener.name.external.sasl.oauthbearer.jwks.endpoint.url=<idp-jwks-endpoint>
listener.name.external.sasl.oauthbearer.expected.audience=<idp-audience>
listener.name.external.principal.builder.class=io.confluent.kafka.security.authenticator.OAuthKafkaPrincipalBuilder
confluent.oauth.groups.claim.name=groups

Optional configuration settings

The following settings are optional and depend on your Confluent Platform configuration.

For non-RBAC configurations

If you are not using RBAC, use the following SASL callback validator and corresponding JAAS configuration.

listener.name.external.oauthbearer.sasl.server.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerValidatorCallbackHandler
listener.name.external.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required;

For RBAC configurations

If you are using role-based access control (RBAC), then you must use the following SASL callback validator and corresponding JAAS configuration.

listener.name.external.oauthbearer.sasl.server.callback.handler.class=io.confluent.kafka.server.plugins.auth.token.CompositeBearerValidatorCallbackHandler
listener.name.external.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required unsecuredLoginStringClaim_sub="thePrincipalName" publicKeyPath="/var/ssl/private/public.pem";

Important

Without the CompositeBearerValidatorCallbackHandler, most Confluent Control Center API calls from the Confluent Control Center UI fail.

Use a custom sub claim name

If you want to use a custom sub claim name, add the following configuration setting, replacing <sub_claim_name> with your actual name:

listener.name.external.sasl.oauthbearer.sub.claim.name=<sub_claim_name>

Configure interbroker communication (optional)

To use the SASL/OAUTHBEARER as the interbroker listener, add the following configuration settings, replacing <idp-token-endpoint>, <client-id>, <client-secret>, and <scope> with your actual values:

inter.broker.listener.name=EXTERNAL
sasl.mechanism.inter.broker.protocol=OAUTHBEARER
listener.name.external.oauthbearer.sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
listener.name.external.sasl.oauthbearer.token.endpoint.url=<idp-token-endpoint>
listener.name.external.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
clientId="<client-id>"
clientSecret="<client-secret>"
scope="<scope>";

Note

The scope parameter is optional, and required only when your identity provider does not have a default scope or your groups claim is linked to a scope.

Configure a superuser

When you use SASL/OAUTHBEARER for the interbroker listener, ensure that the principal in the authentication token of the client serves as the superuser by adding the following configuration setting, replacing <sub-claim-value> with your actual value:

super.users= ...;User:<sub-claim-value>  # usually User:<client-id>

Configure the metadata server

If you want to keep LDAP and IdP both for User store (Authentication source), you should be using LDAP_WITH_OAUTH. This is advised to use while migrating from one user store to other. For details on using LDAP_WITH_OAUTH, see Configure Metadata Service (MDS) for OAuth Authentication in Confluent Platform.

Configure for KRaft mode

When Kafka is running in KRaft mode, add the following required configurations on controller nodes because requests are forwarded to the controller. OAuthKafkaPrincipalBuilder provides the needed group extraction on the controller.

listener.name.external.principal.builder.class=io.confluent.kafka.security.authenticator.OAuthKafkaPrincipalBuilder
confluent.oauth.groups.claim.name=groups

Configure Kafka clients

Add the following configurations to your Kafka clients to use OAuth authentication.

sasl.mechanism=OAUTHBEARER
security.protocol=SASL_SSL
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
sasl.oauthbearer.token.endpoint.url=<idp-token-endpoint>
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
   clientId="<client-id>" \
   clientSecret="<client-secret>" \
   scope="<scope>";
# scope is optional and required only when your identity provider doesn't have a default scope or your groups claim is linked to a scope.

For a Kafka console consumer based on the configuration above, you can use the following kafka-console-consumer command, replacing <host> with the actual host name.

./bin/kafka-console-consumer \
  --bootstrap-server <host>:9095 \
  --topic purchases \
  --consumer.config oauth-client.properties