Chapter 2. Enhancements
The enhancements added in this release are outlined below.
2.1. Kafka 2.8.0 enhancements
For an overview of the enhancements introduced with Kafka 2.8.0, refer to the Kafka 2.8.0 Release Notes.
2.2. OAuth 2.0 authentication enhancements
Configure audience and scope
You can now configure the oauth.audience
and oauth.scope
properties and pass their values as parameters when obtaining a token. Both properties are configured in the OAuth 2.0 authentication listener configuration.
Use these properties in the following scenarios:
- When obtaining an access token for inter-broker authentication
-
In the name of a client for OAuth 2.0 over PLAIN client authentication, using a
clientId
andsecret
These properties affect whether a client can obtain a token and the content of the token. They do not affect token validation rules imposed by the listener.
Example configuration for oauth.audience
and oauth.scope
properties
listener.name.client.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ # ... oauth.token.endpoint.uri="https://AUTH-SERVER-ADDRESS/auth/realms/REALM-NAME/protocol/openid-connect/token" \ oauth.scope=""SCOPE"" \ oauth.audience="AUDIENCE" \ oauth.check.audience="true" \ # ...
Your authorization server might provide aud
(audience) claims in JWT access tokens. When audience checks are enabled by setting oauth.check.audience="true"
, the Kafka broker rejects tokens that do not contain the broker’s clientId
in their aud
claims. Audience checks are disabled by default.
See Configuring OAuth 2.0 support for Kafka brokers
Token endpoint not required with OAuth 2.0 over PLAIN
The oauth.token.endpoint.uri
parameter is no longer required when using the "client ID and secret" method for OAuth 2.0 over PLAIN authentication.
Example OAuth 2.0 over PLAIN listener configuration with token endpoint URI specified
listener.name.client.plain.sasl.jaas.config=org.apache.kafka.common.security.plain.PlainLoginModule required \ oauth.valid.issuer.uri="https://__AUTH-SERVER-ADDRESS__" \ oauth.jwks.endpoint.uri="https://__AUTH-SERVER-ADDRESS__/jwks" \ oauth.username.claim="preferred_username" \ oauth.token.endpoint.uri="http://__AUTH_SERVER__/auth/realms/__REALM__/protocol/openid-connect/token" ;
If the oauth.token.endpoint.uri
is not specified, the listener treats the:
-
username
parameter as the account name -
password
parameter as the raw access token, which is passed to the authorization server for validation (the same behavior as for OAUTHBEARER authentication)
The behavior of the "long-lived access token" method for OAuth 2.0 over PLAIN authentication is unchanged. The oauth.token.endpoint.uri
is not required when using this method.