Cloudera Docs

Configuring OAuth authentication

Learn how to configure OAuth authentication for Kafka. OAuth is configured by creating a Kubernetes Secret for the Oauth certificate, configuring an OAuth in your Kafka resource, and adding your OAuth server to the allowed list of OAuth URLs in the KafkaNodePool resource.

  • An OAuth server is available. The server is accessible from the Kubernetes environment.
  • Both Kafka brokers and clients are able to access the OAuth server.
  • The TLS certificates of the OAuth server must be available in PEM format.

To set up OAuth, create a Kubernetes Secret for the OAuth certificate.

kubectl create secret generic [***SECRET NAME***] \
  --namespace [***NAMESPACE***] \
  --from-file=[***OAUTH SERVER CERT.PEM FILE***]

The following snippet configures a Kafka cluster with an OAuth authenticated listener on port 9093 with typical configurations.

#...
kind: Kafka
spec:
  kafka:
    listeners:
      - name: oauth
        port: 9093
        type: internal
        tls: false
        authentication:
          type: custom
          sasl: true
          listenerConfig:
            sasl.enabled.mechanisms: OAUTHBEARER
            oauthbearer.sasl.server.callback.handler.class: io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler
            oauthbearer.sasl.jaas.config: >
              org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
              unsecuredLoginStringClaim_sub="unused"
              oauth.valid.issuer.uri="[***EXPECTED ISSUER***]"
              oauth.jwks.endpoint.uri="[***JWKS ENDPOINT***]"
              oauth.username.claim="[***USERNAME CLAIM***]"
              oauth.ssl.truststore.location="/mnt/[***PATH***]/[***FILE NAME***]"
              oauth.ssl.truststore.type="PEM";
            connections.max.reauth.ms: 3600
    template:
      pod:
        volumes:
          - name: [***VOLUME NAME***]
            secret:
              secretName: [***SECRET NAME***]
              items:
                - key: [***SECRET KEY***]
                  path: [***FILE NAME***]
      kafkaContainer:
        volumeMounts:
          - name: [***VOLUME NAME***]
            mountPath: /mnt/[***PATH***]
---
#...
kind: KafkaNodePool
spec:
  jvmOptions:
    javaSystemProperties:
      - name: org.apache.kafka.sasl.oauthbearer.allowed.urls
        value: [***OAUTH SERVER URL 1***],[***OAUTH SERVER URL 2***]

  • oauth.valid.issuer.uri – The expected issuer (iss) of tokens. Only tokens from this issuer are accepted.

  • oauth.jwks.endpoint.uri – The URI of the JWKS endpoint used to load public keys for signature verification.

  • oauth.username.claim – The JWT claim used to extract the principal (client ID). Default is sub.

  • oauth.ssl.truststore.location – Full path inside the Container to the mounted certificate file.

  • template.pod.volumes[*].secret.secretName – The Kubernetes Secret containing the OAuth certificate.

  • template.pod.volumes[*].secret.items[*].key – The key inside the Secret containing the OAuth certificate.

  • template.pod.volumes[*].secret.items[*].path – The relative path where the Secret key is mapped within the Volume. This can be a simple filename or include intermediate sub-directories.

  • template.kafkaContainer.volumeMounts[*].mountPath – The full path in the Container where the Volume is mounted. This must start with the fixed /mnt base path. [***PATH***] is your chosen destination suffix.