Configure OIDC SSO for Confluent CLI in Confluent Platform

Follow these steps to configure single sign-on (SSO) for Confluent CLI using OpenID Connect (OIDC):

Step 1: Configure MDS properties

Add the following OIDC properties to your Metadata Server (MDS) configuration:

confluent.metadata.server.sso.mode=oidc
confluent.metadata.server.openapi.enable=true
confluent.oidc.idp.jwks.endpoint.uri=https://your-idp-domain.com/oauth2/your-auth-server-id/v1/keys
confluent.oidc.idp.authorize.base.endpoint.uri=https://your-idp-domain.com/oauth2/your-auth-server-id/v1/authorize
confluent.oidc.idp.device.authorization.endpoint.uri=https://your-idp-domain.com/oauth2/your-auth-server-id/v1/device/authorize
confluent.oidc.idp.client.id=<client-id>
confluent.oidc.idp.client.secret=<client-secret>
confluent.oidc.idp.token.base.endpoint.uri=https://your-idp-domain.com/oauth2/your-auth-server-id/v1/token
confluent.oidc.idp.issuer=https://your-idp-domain.com/oauth2/your-auth-server-id
confluent.oidc.idp.refresh.token.enabled=true
confluent.oidc.session.token.expiry.ms=120000
confluent.oidc.session.max.timeout.ms=600000

Replace your-idp-domain.com and your-auth-server-id with your identity provider’s domain and authorization server ID.

Step 2: Install Confluent CLI

Download and install the latest version of Confluent CLI following the download link and steps in Install the Confluent CLI.

Step 3: Sign in using SSO

To sign in using SSO, run the following Confluent CLI command:

confluent login --url https://<mds-url>:<mds-port> \
  --certificate-authority-path /var/ssl/private/ca.crt

This redirects you to a browser to sign in using the configured identity provider.

If you’re in an environment without a browser, use the –no-browser flag, like this:

confluent login --url https://<mds-url>:<mds-port> \
  --certificate-authority-path /var/ssl/private/ca.crt \
  --no-browser

You should have successfully signed in using SSO.

Verify the sign-in

To check the signed-in (or logged-in) credentials, run the following Confluent CLI command:

confluent iam user describe -o json

Test Confluent CLI commands

You can try running various Confluent CLI commands to validate the credentials.

For example, you can create a Kafka topic (ensure the signed-in user has proper RBAC roles) by running the following Confluent CLI command:

confluent kafka topic create test-topic --url https://<kafka-url>:8090/kafka

Switch to Basic Authentication (optional)

To switch back to HTTP Basic Authentication and sign in using your username and password, you can use the --prompt flag, like this:

confluent login --url https://<mds-url>:<mds-port> \
  --certificate-authority-path /var/ssl/private/ca.crt \
  --prompt

Session timeout for Confluent CLI SSO sign-in

The confluent.oidc.session.max.timeout.ms property controls the session timeout for signing in with SSO.

If refresh tokens are enabled (confluent.oidc.idp.refresh.token.enabled=true), the timeout is controlled by the identity provider’s refresh token settings.