Configuring OAuth authentication

Learn how to configure OAuth authentication for Kafka. OAuth is configured by creating a Kubernetes secret for the Oauth certificate and configuring OAuth for a listener in your Kafka resource.

Enure that you have the following:
  • An OAuth server running that is accessible from the Kafka Kubernetes environment.
  • Both Kafka brokers and clientsare able to access the OAuth server.
  • The TLS certificates of the OAuth server must be available in PEM format.
  • The following attributes of the OAuth environment must be determined:
    • userNameClaim – the claim name which contains the client ID. Typically this is asub, but its OAuth provider dependent.
    • validIssuerUri – it must point to the URL that clients can use to connect to the OAuth server. The value can be obtained from the well-known endpoint of the OAuth server or a JWT token.

To set up OAuth, create a Kubernetes secret for the OAuth certificate. The Strimzi Cluster Operator will mount and use the secret when configuring the listener.

kubectl create secret \
  -n kafka generic <oauth-server-cert-secret> \
  --from-file=<oauth-server-cert.pem>

The following snippet configures a Kafka cluster with an OAuth authenticated listener on port 9093. Notice that the authentication section in the listener config contains all OAuth specific settings.

#...
kind: Kafka
spec:
  kafka:
    listeners:
      - name: oauth
        port: 9093
        type: internal
        tls: false
        authentication:
          type: oauth
          jwksEndpointUri: <uri-from-kafka-brokers-to-oauth-server>
          tlsTrustedCertificates:
            - secretName: <oauth-server-cert-secret>
              certificate: <oauth-server-cert.pem>
          userNameClaim: <user-name-claim>
          validIssuerUri: <uri-from-kafka-clients-to-oauth-server>
          maxSecondsWithoutReauthentication: 3600