Configuring OAuth authentication
Learn how to configure OAuth authentication for Kafka. OAuth is configured by creating a Kubernetes secret for the Oauth certificate and configuring OAuth for a listener in your Kafka resource.
- An OAuth server running that is accessible from the Kafka Kubernetes environment.
- Both Kafka brokers and clientsare able to access the OAuth server.
- The TLS certificates of the OAuth server must be available in PEM format.
- The following attributes of the OAuth environment must be determined:
userNameClaim
– the claim name which contains the client ID. Typically this is asub
, but its OAuth provider dependent.validIssuerUri
– it must point to the URL that clients can use to connect to the OAuth server. The value can be obtained from the well-known endpoint of the OAuth server or a JWT token.
To set up OAuth, create a Kubernetes secret for the OAuth certificate. The Strimzi Cluster Operator will mount and use the secret when configuring the listener.
kubectl create secret \ -n kafka generic <oauth-server-cert-secret> \ --from-file=<oauth-server-cert.pem>
The following snippet configures a Kafka cluster with an OAuth authenticated listener on port 9093. Notice that the authentication section in the listener config contains all OAuth specific settings.
#... kind: Kafka spec: kafka: listeners: - name: oauth port: 9093 type: internal tls: false authentication: type: oauth jwksEndpointUri: <uri-from-kafka-brokers-to-oauth-server> tlsTrustedCertificates: - secretName: <oauth-server-cert-secret> certificate: <oauth-server-cert.pem> userNameClaim: <user-name-claim> validIssuerUri: <uri-from-kafka-clients-to-oauth-server> maxSecondsWithoutReauthentication: 3600