Configure Confluent REST Proxy for OAuth Authentication in Confluent Platform

Confluent REST Proxy is a REST application built on Jetty, designed to facilitate communication with Kafka. It supports OAuth authentication, allowing secure interactions with Confluent Server brokers and other Confluent Platform services. The configuration process for REST Proxy mirrors that of Schema Registry.

Configure standalone REST Proxy

To configure your standalone REST Proxy, use the following configuration information.

Connect REST Proxy to Kafka

To configure the REST Proxy to connect to Kafka, add the following properties to the REST Proxy configuration file, replacing the placeholder values with your actual configuration values:

client.sasl.mechanism=OAUTHBEARER
client.security.protocol=SASL_SSL
client.sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
client.sasl.oauthbearer.token.endpoint.url=<idp-token-endpoint>
client.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
 clientId="<client-id>" \
 clientSecret="<client-secret>" \
 scope="groups";

Configure REST Proxy connection to Metadata Service (MDS)

To configure the REST Proxy to connect to the Metadata Service (MDS), add the following properties to the REST Proxy configuration file, replacing the placeholder values with your actual configuration values.

confluent.metadata.oauthbearer.token.endpoint.url=<idp-token-url>
confluent.metadata.oauthbearer.login.credentials.source=OAUTHBEARER
confluent.metadata.oauthbearer.login.oauth.scope=groups
confluent.metadata.bootstrap.server.urls=<bootstrap-url>
confluent.metadata.http.auth.credentials.provider=OAUTHBEARER
confluent.metadata.oauthbearer.login.client.id=<client-id>
confluent.metadata.oauthbearer.login.client.secret=<client-secret>

Configure REST Proxy with OAuth

To configure the REST Proxy server with OAuth, add the following properties to the REST Proxy configuration file, replacing the placeholder values with your actual configuration values.

rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.AuthenticationHandler
# IdP settings
oauthbearer.jwks.endpoint.url=<idp-keys-url>
oauthbearer.groups.claim.name=groups
oauthbearer.sub.claim.name=<client-id>
oauthbearer.expected.audience=account
oauthbearer.expected.issuer=<idp-issuer>

Configure REST clients

There are no specific REST client configurations required. Any REST client (such as Postman or cURL) with an identity provider (IdP) bearer token can access the available REST endpoints. Here is a sample cURL call:

curl --location 'http://localhost:8090/kafka/v3/clusters/<kafka-cluster-id>/topics' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <idp-token>' \
--data ''

Configure embedded REST Proxy

The embedded REST Proxy runs with the Metadata Service (MDS) (same Jetty) as a Kafka plugin. It has the same configurations as the standalone one, except that the Kafka bootstrap URL is optional.

Enable OAuth in Confluent REST Proxy

To enable OAuth in Confluent REST Proxy, add the following properties to the REST Proxy configuration file, replacing the placeholder values with your actual configuration:

kafka.rest.rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.AuthenticationHandler
kafka.rest.authentication.roles=**
kafka.rest.oauthbearer.jwks.endpoint.url=<jwks-endpoint>
kafka.rest.oauthbearer.groups.claim.name=groups
kafka.rest.oauthbearer.sub.claim.name=<client-id>
kafka.rest.oauthbearer.expected.audience=<account>
kafka.rest.oauthbearer.expected.issuer=<expected-issuer>

With RBAC

To configure REST Proxy with role-based access control (RBAC), add the following properties, replacing the placeholder values with your actual configuration:

kafka.rest.bootstrap.servers=<broker listener configured with OAuth>
kafka.rest.client.security.protocol=SASL_SSL
kafka.rest.confluent.metadata.bootstrap.server.urls=<mds-bootstrap-url>
kafka.rest.confluent.metadata.oauthbearer.login.client.id=<client-id>
kafka.rest.confluent.metadata.oauthbearer.login.client.secret=<client-secret>
kafka.rest.confluent.metadata.oauthbearer.token.endpoint.url=<token-endpoint>
kafka.rest.public.key.path=<public-key-path>
kafka.rest.kafka.rest.resource.extension.class=io.confluent.kafkarest.security.KafkaRestSecurityResourceExtension

Related content

• Configure Truststores for TLS Handshake with Identity Providers
• Use OAuth/OIDC for Authentication in Confluent Platform
• Use SASL/OAUTHBEARER Authentication between Confluent Server Brokers and Kafka Clients in Confluent Platform