Configuring OAuth2 authentication for Kafka brokers
Learn how to enable and configure OAuth2 authentication for Kafka brokers.
You can enable Kafka to use OAuth2 for client to broker authentication. Broker configuration is done by configuring OAuth2 related properties. OAuth2 related properties can be configured using Cloudera Manager. However, there are two distinct paths of configuration. Which configuration path you take depends on whether the Kafka service is Kerberos enabled.
If Kerberos is enabled, you can use the OAuth2 related properties directly available in Cloudera Manager to enable and configure OAuth2. If Kerberos is not enabled, you must use an advanced configuration snippet to enable and configure OAuth2.
In addition, when configuring OAuth2 you can choose how the broker gets access to the JSON Web Key Set (JWKS) used to verify tokens. Kafka brokers can be provided access to a JWKS in two different ways. They can be configured to retrieve the JWKS from the authorization server’s JWKS endpoint (HTTPS) at startup. This is called online JWKS access. Alternatively, it is also possible to provide the broker directly with the JWKS used by the authorization server using an advanced configuration snippet. This is called local JWKS access.
- If you want to configure online JWKS access, ensure that the broker can open a network connection to the authorization server. Otherwise the broker will fail to start.
- If you want to configure local JWKS access, acquire the JWKS JSON from the authorization server.