Configuring allowed OAuth URLs

Configuring allowed OAuth URLs is available from Cloudera Runtime 7.3.1.500 SP3 or higher. You can restrict the OAuth URLs that are allowed for internal clients used by Kafka Connect connectors. Configuring a trusted list of URLs can harden the security of your deployment and can prevent an attacker from setting malicious values in connector clients. Configuration is done in Cloudera Manager by setting Java options using an advanced configuration snippet.

In Cloudera Manager, select the Kafka service.
Go to Configuration.
Find the Kafka Connect Environment Advanced Configuration Snippet (Safety Valve) property.
Add or update the EXTRA_ARGS environment variable with the org.apache.kafka.sasl.oauthbearer.allowed.urls Java option.
For example:
```
EXTRA_ARGS=-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls="http://www.oauth-example-1.com,http://www.oauth-example-2.com"
```
Click the Save Changes button.
Restart the Kafka service.