Configure Metadata Service (MDS) for OAuth Authentication in Confluent Platform

Use the following configurations for Metadata Service (MDS) to support OAuth authentication in your Confluent Platform clusters.

Configure MDS to support OAuth

The required configuration settings for OAuth on MDS are as follows. These settings are necessary to enable IdP-issued OAuth token validation in MDS. Replace the placeholder values with your actual configuration values.

confluent.metadata.server.oauthbearer.jwks.endpoint.url=<idp-jwks-endpoint>
confluent.metadata.server.oauthbearer.expected.issuer=<idp-issuer>
confluent.metadata.server.oauthbearer.expected.audience=Confluent,api://default,https://my-company.com
confluent.metadata.server.oauthbearer.sub.claim.name=sub
confluent.metadata.server.oauthbearer.groups.claim.name=groups

If your identity provider uses self-signed certificates for SSL, the truststore for verifying certs can be configured using Metadata Service (MDS) configuration settings.

Configure MDS to enable OAuth without LDAP

In this case, HTTP Basic authentication (username:password) is not supported. To interact with MDS, you must use a token from your identity provider or a Confluent-issued token.

confluent.metadata.server.user.store=OAUTH

Configure MDS to enable OAuth with LDAP

This configuration adds OAuth support without removing LDAP. This is useful for client migration scenarios and should be replaced after migration.

confluent.metadata.server.user.store=LDAP_WITH_OAUTH

Configure MDS for CLI SSO

The configurations for CLI SSO are an extension of C3 SSO with one extra configuration. Add the following configuration property, replacing <idp-device-auth-endpoint> with your actual value:

confluent.oidc.idp.device.authorization.endpoint.uri=<idp-device-auth-endpoint>

Configure MDS clients

MDS clients (like Confluent Control Center, Schema Registry, and Connect) use this flow for connecting to MDS. First, it needs to get a JWT from their identity provider. A sample curl request to get the token from identity provider is:

curl -X POST \
   -H "Authorization: Basic <base-64-encoded client-id:client-secret>" \
   -H "Content-Type: application/x-www-form-urlencoded" \
   -d "grant_type=client_credentials" \
   -d "scope=groups" \
   <idp-token-endpoint>

After receiving the token, the client simply needs to include the token as Authorization when calling MDS. Assuming MDS is running using port 8090 on localhost, the following request should succeed:

curl -X GET "http://localhost:8090/security/1.0/roles" \
 -H "accept: application/json" \
 -H "Authorization: Bearer <bearer-token>"

Related content

• Configure Truststores for TLS Handshake with Identity Providers
• Metadata Service Configuration Settings
• Use OAuth/OIDC for Authentication in Confluent Platform
• Use SASL/OAUTHBEARER Authentication between Confluent Server Brokers and Kafka Clients in Confluent Platform