Configure Confluent Schema Registry for OAuth Authentication in Confluent Platform

Configure Schema Registry to connect to Confluent Server brokers

To configure Schema Registry to connect to Confluent Server brokers, add the following configuration settings to the schema-registry.properties file, replacing the placeholder values with your actual configuration values:

kafkastore.bootstrap.servers=SASL_SSL://<broker>:9095
kafkastore.sasl.mechanism=OAUTHBEARER
kafkastore.security.protocol=SASL_SSL
kafkastore.sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
kafkastore.sasl.oauthbearer.token.endpoint.url=<token-endpoint-url>
kafkastore.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
    clientId="<client-id>" \
    clientSecret="<client-secret>" \
    scope="groups";

Configure Confluent Server brokers to connect to Schema Registry

If broker-side validation is enabled on topics, Confluent Server brokers try to connect to Schema Registry. Add the following configuration to the Confluent Server broker server.properties file to enable this connection. If role-based access control (RBAC) is enabled, the principal defined here should have appropriate permissions. For details, see Validate Broker-side Schemas IDs in Confluent Platform.

# Schema registry configurations.
confluent.schema.registry.url=<sr-url>
# If Broker validation is enabled for topics
confluent.bearer.auth.credentials.source=OAUTHBEARER
confluent.bearer.auth.issuer.endpoint.url=<token-endpoint-url>
confluent.bearer.auth.client.id=<client-id>
confluent.bearer.auth.client.secret=<client-secret>

Configure Schema Registry to connect to Metadata Service (MDS)

To configure your Schema Registry to connect to your Metadata Service (MDS), add the following settings to the schema-registry.properties file, replacing the placeholder values with your actual configuration values.

confluent.metadata.bootstrap.server.urls=http://<mds-url>:<mds-port>
confluent.metadata.http.auth.credentials.provider=OAUTHBEARER
confluent.metadata.oauthbearer.token.endpoint.url=http://<idp-url>
confluent.metadata.oauthbearer.login.client.id=<client-id>
confluent.metadata.oauthbearer.login.client.secret=<client-secret>

Configure Schema Registry to use OAuth authentication

To enable OAuth on your Schema Registry, add the following settings to the server.properties file, replacing the placeholder values with your actual configuration values.

rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.AuthenticationHandler
oauthbearer.jwks.endpoint.url=<jwks-endpoint-url>
oauthbearer.expected.issuer=<idp-issuer-url>
oauthbearer.expected.audience=<audience>
oauthbearer.sub.claim.name=<sub-claim-name>
oauthbearer.groups.claim.name=<groups-claim-name>

Configure Schema Registry clients to use OAuth authentication

The Schema Registry client can have explicit configurations to communicate with the Schema Registry server over OAuth.

bearer.auth.credentials.source=OAUTHBEARER
bearer.auth.issuer.endpoint.url=<idp-token-endpoint>
bearer.auth.client.id=<client-id>
bearer.auth.client.secret=<client-secret>
bearer.auth.scope=<scope>

Alternatively, a Schema Registry client can reuse the configurations to connect to the Confluent Server broker. The properties related to the endpoint and client are inherited from the Kafka client and are optional. However, if provided, the properties take higher precedence.

bearer.auth.credentials.source=SASL_OAUTHBEARER_INHERIT
# Configs below would be optional
bearer.auth.issuer.endpoint.url=<idp-token-endpoint>
bearer.auth.client.id=<client-id>
bearer.auth.client.secret=<client-secret>
bearer.auth.scope=<scope>

Related content

• Configure Truststores for TLS Handshake with Identity Providers
• Use OAuth/OIDC for Authentication in Confluent Platform
• Use SASL/OAUTHBEARER Authentication between Confluent Server Brokers and Kafka Clients in Confluent Platform