Configuring OAuth authentication
Learn how to configure OAuth authentication for Kafka. OAuth is configured by creating a Kubernetes Secret for the Oauth certificate, configuring an OAuth in your Kafka resource, and adding your OAuth server to the allowed list of OAuth URLs in the KafkaNodePool resource.
- An OAuth server is available. The server is accessible from the Kubernetes environment.
- Both Kafka brokers and clients are able to access the OAuth server.
- The TLS certificates of the OAuth server must be available in PEM format.
- The following attributes of the OAuth environment must be determined:
userNameClaim– the claim name which contains the client ID. Typically this is asub, but its OAuth provider dependent.validIssuerUri– it must point to the URL that clients can use to connect to the OAuth server. The value can be obtained from the well-known endpoint of the OAuth server or a JWT token.
To set up OAuth, create a Kubernetes Secret for the OAuth certificate. The Strimzi Cluster Operator will mount and use the Secret when configuring the listener.
kubectl create secret generic [***SECRET NAME***] \
--namespace [***NAMESPACE***] \
--from-file=[***OAUTH SERVER CERT.PEM FILE***]The following snippet configures a Kafka cluster with an OAuth authenticated listener on port 9093. Notice that the authentication section in the listener config contains all OAuth specific settings.
#...
kind: Kafka
spec:
kafka:
listeners:
- name: oauth
port: 9093
type: internal
tls: false
authentication:
type: oauth
jwksEndpointUri: [***JWKS ENDPOINT URI***]
tlsTrustedCertificates:
- secretName: [***SECRET NAME***]
certificate: [***OAUTH SERVER CERT.PEM FILE***]
userNameClaim: [***USER NAME CLAIM***]
validIssuerUri: [***ISSUER URI***]
maxSecondsWithoutReauthentication: 3600
---
#...
kind: KafkaNodePool
spec:
jvmOptions:
javaSystemProperties:
- name: org.apache.kafka.sasl.oauthbearer.allowed.urls
value: [***OAUTH SERVER URL 1***],[***OAUTH SERVER URL 2***]