Configuring OAuth authentication
Learn how to configure OAuth authentication for Kafka. OAuth is configured by creating a Kubernetes secret for the Oauth certificate and configuring OAuth for a listener in your Kafka resource.
- An OAuth server running that is accessible from the Kafka Kubernetes environment.
- Both Kafka brokers and clientsare able to access the OAuth server.
- The TLS certificates of the OAuth server must be available in PEM format.
- The following attributes of the OAuth environment must be determined:
userNameClaim– the claim name which contains the client ID. Typically this is asub, but its OAuth provider dependent.validIssuerUri– it must point to the URL that clients can use to connect to the OAuth server. The value can be obtained from the well-known endpoint of the OAuth server or a JWT token.
To set up OAuth, create a Kubernetes secret for the OAuth certificate. The Strimzi Cluster Operator will mount and use the secret when configuring the listener.
kubectl create secret \
-n kafka generic <oauth-server-cert-secret> \
--from-file=<oauth-server-cert.pem>
The following snippet configures a Kafka cluster with an OAuth authenticated listener on port 9093. Notice that the authentication section in the listener config contains all OAuth specific settings.
#...
kind: Kafka
spec:
kafka:
listeners:
- name: oauth
port: 9093
type: internal
tls: false
authentication:
type: oauth
jwksEndpointUri: <uri-from-kafka-brokers-to-oauth-server>
tlsTrustedCertificates:
- secretName: <oauth-server-cert-secret>
certificate: <oauth-server-cert.pem>
userNameClaim: <user-name-claim>
validIssuerUri: <uri-from-kafka-clients-to-oauth-server>
maxSecondsWithoutReauthentication: 3600
