Configure Confluent Schema Registry for OAuth Authentication in Confluent Platform¶
Configure Schema Registry to connect to Confluent Server brokers¶
To configure Schema Registry to connect to Confluent Server brokers, add the following configuration settings to
the schema-registry.properties
file, replacing the placeholder values with your actual
configuration values:
kafkastore.bootstrap.servers=SASL_SSL://<broker>:9095
kafkastore.sasl.mechanism=OAUTHBEARER
kafkastore.security.protocol=SASL_SSL
kafkastore.sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
kafkastore.sasl.oauthbearer.token.endpoint.url=<token-endpoint-url>
kafkastore.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
clientId="<client-id>" \
clientSecret="<client-secret>" \
scope="groups";
Configure Confluent Server brokers to connect to Schema Registry¶
If broker-side validation is enabled on topics, Confluent Server brokers try to connect to
Schema Registry. Add the following configuration to the Confluent Server broker server.properties
file to enable this connection. If role-based access control (RBAC) is enabled, the principal defined
here should have appropriate permissions. For details, see Validate Broker-side Schemas IDs in Confluent Platform.
# Schema registry configurations.
confluent.schema.registry.url=<sr-url>
# If Broker validation is enabled for topics
confluent.bearer.auth.credentials.source=OAUTHBEARER
confluent.bearer.auth.issuer.endpoint.url=<token-endpoint-url>
confluent.bearer.auth.client.id=<client-id>
confluent.bearer.auth.client.secret=<client-secret>
Configure Schema Registry to connect to Metadata Service (MDS)¶
To configure your Schema Registry to connect to your Metadata Service (MDS), add the following settings
to the schema-registry.properties
file, replacing the placeholder values with your actual
configuration values.
confluent.metadata.bootstrap.server.urls=http://<mds-url>:<mds-port>
confluent.metadata.http.auth.credentials.provider=OAUTHBEARER
confluent.metadata.oauthbearer.token.endpoint.url=http://<idp-url>
confluent.metadata.oauthbearer.login.client.id=<client-id>
confluent.metadata.oauthbearer.login.client.secret=<client-secret>
Configure Schema Registry to use OAuth authentication¶
To enable OAuth on your Schema Registry, add the following settings to the server.properties
file, replacing the placeholder values with your actual configuration values.
rest.servlet.initializor.classes=io.confluent.common.security.jetty.initializer.AuthenticationHandler
oauthbearer.jwks.endpoint.url=<jwks-endpoint-url>
oauthbearer.expected.issuer=<idp-issuer-url>
oauthbearer.expected.audience=<audience>
oauthbearer.sub.claim.name=<sub-claim-name>
oauthbearer.groups.claim.name=<groups-claim-name>
Configure Schema Registry clients to use OAuth authentication¶
The Schema Registry client can have explicit configurations to communicate with the Schema Registry server over OAuth.
bearer.auth.credentials.source=OAUTHBEARER
bearer.auth.issuer.endpoint.url=<idp-token-endpoint>
bearer.auth.client.id=<client-id>
bearer.auth.client.secret=<client-secret>
bearer.auth.scope=<scope>
Alternatively, a Schema Registry client can reuse the configurations to connect to the Confluent Server broker. The properties related to the endpoint and client are inherited from the Kafka client and are optional. However, if provided, the properties take higher precedence.
bearer.auth.credentials.source=SASL_OAUTHBEARER_INHERIT
# Configs below would be optional
bearer.auth.issuer.endpoint.url=<idp-token-endpoint>
bearer.auth.client.id=<client-id>
bearer.auth.client.secret=<client-secret>
bearer.auth.scope=<scope>