Chapter 78. KafkaClientAuthenticationOAuth schema reference
Used in: KafkaBridgeSpec, KafkaConnectSpec, KafkaMirrorMaker2ClusterSpec, KafkaMirrorMakerConsumerSpec, KafkaMirrorMakerProducerSpec
Full list of KafkaClientAuthenticationOAuth schema properties
To configure OAuth client authentication, set the type property to oauth.
OAuth authentication can be configured using one of the following options:
- Client ID and secret
- Client ID and refresh token
- Access token
- Username and password
- TLS
Client ID and secret
You can configure the address of your authorization server in the tokenEndpointUri property together with the client ID and client secret used in authentication. The OAuth client will connect to the OAuth server, authenticate using the client ID and secret and get an access token which it will use to authenticate with the Kafka broker. In the clientSecret property, specify a link to a Secret containing the client secret.
An example of OAuth client authentication using client ID and client secret
authentication:
type: oauth
tokenEndpointUri: https://sso.myproject.svc:8443/auth/realms/internal/protocol/openid-connect/token
clientId: my-client-id
clientSecret:
secretName: my-client-oauth-secret
key: client-secret
Optionally, scope and audience can be specified if needed.
Client ID and refresh token
You can configure the address of your OAuth server in the tokenEndpointUri property together with the OAuth client ID and refresh token. The OAuth client will connect to the OAuth server, authenticate using the client ID and refresh token and get an access token which it will use to authenticate with the Kafka broker. In the refreshToken property, specify a link to a Secret containing the refresh token.
An example of OAuth client authentication using client ID and refresh token
authentication:
type: oauth
tokenEndpointUri: https://sso.myproject.svc:8443/auth/realms/internal/protocol/openid-connect/token
clientId: my-client-id
refreshToken:
secretName: my-refresh-token-secret
key: refresh-token
Access token
You can configure the access token used for authentication with the Kafka broker directly. In this case, you do not specify the tokenEndpointUri. In the accessToken property, specify a link to a Secret containing the access token.
An example of OAuth client authentication using only an access token
authentication:
type: oauth
accessToken:
secretName: my-access-token-secret
key: access-token
Username and password
OAuth username and password configuration uses the OAuth Resource Owner Password Grant mechanism. The mechanism is deprecated, and is only supported to enable integration in environments where client credentials (ID and secret) cannot be used. You might need to use user accounts if your access management system does not support another approach or user accounts are required for authentication.
A typical approach is to create a special user account in your authorization server that represents your client application. You then give the account a long randomly generated password and a very limited set of permissions. For example, the account can only connect to your Kafka cluster, but is not allowed to use any other services or login to the user interface.
Consider using a refresh token mechanism first.
You can configure the address of your authorization server in the tokenEndpointUri property together with the client ID, username and the password used in authentication. The OAuth client will connect to the OAuth server, authenticate using the username, the password, the client ID, and optionally even the client secret to obtain an access token which it will use to authenticate with the Kafka broker.
In the passwordSecret property, specify a link to a Secret containing the password.
Normally, you also have to configure a clientId using a public OAuth client. If you are using a confidential OAuth client, you also have to configure a clientSecret.
An example of OAuth client authentication using username and a password with a public client
authentication:
type: oauth
tokenEndpointUri: https://sso.myproject.svc:8443/auth/realms/internal/protocol/openid-connect/token
username: my-username
passwordSecret:
secretName: my-password-secret-name
password: my-password-field-name
clientId: my-public-client-id
An example of OAuth client authentication using a username and a password with a confidential client
authentication:
type: oauth
tokenEndpointUri: https://sso.myproject.svc:8443/auth/realms/internal/protocol/openid-connect/token
username: my-username
passwordSecret:
secretName: my-password-secret-name
password: my-password-field-name
clientId: my-confidential-client-id
clientSecret:
secretName: my-confidential-client-oauth-secret
key: client-secret
Optionally, scope and audience can be specified if needed.
TLS
Accessing the OAuth server using the HTTPS protocol does not require any additional configuration as long as the TLS certificates used by it are signed by a trusted certification authority and its hostname is listed in the certificate.
If your OAuth server is using certificates which are self-signed or are signed by a certification authority which is not trusted, you can configure a list of trusted certificates in the custom resource. The tlsTrustedCertificates property contains a list of secrets with key names under which the certificates are stored. The certificates must be stored in X509 format.
An example of TLS certificates provided
authentication:
type: oauth
tokenEndpointUri: https://sso.myproject.svc:8443/auth/realms/internal/protocol/openid-connect/token
clientId: my-client-id
refreshToken:
secretName: my-refresh-token-secret
key: refresh-token
tlsTrustedCertificates:
- secretName: oauth-server-ca
certificate: tls.crt
The OAuth client will by default verify that the hostname of your OAuth server matches either the certificate subject or one of the alternative DNS names. If it is not required, you can disable the hostname verification.
An example of disabled TLS hostname verification
authentication:
type: oauth
tokenEndpointUri: https://sso.myproject.svc:8443/auth/realms/internal/protocol/openid-connect/token
clientId: my-client-id
refreshToken:
secretName: my-refresh-token-secret
key: refresh-token
disableTlsHostnameVerification: true
78.1. KafkaClientAuthenticationOAuth schema properties
The type property is a discriminator that distinguishes use of the KafkaClientAuthenticationOAuth type from KafkaClientAuthenticationTls, KafkaClientAuthenticationScramSha256, KafkaClientAuthenticationScramSha512, KafkaClientAuthenticationPlain. It must have the value oauth for the type KafkaClientAuthenticationOAuth.
| Property | Property type | Description |
|---|---|---|
| accessToken | Link to OpenShift Secret containing the access token which was obtained from the authorization server. | |
| accessTokenIsJwt | boolean |
Configure whether access token should be treated as JWT. This should be set to |
| audience | string |
OAuth audience to use when authenticating against the authorization server. Some authorization servers require the audience to be explicitly set. The possible values depend on how the authorization server is configured. By default, |
| clientId | string | OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. |
| clientSecret | Link to OpenShift Secret containing the OAuth client secret which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. | |
| connectTimeoutSeconds | integer | The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds. |
| disableTlsHostnameVerification | boolean |
Enable or disable TLS hostname verification. Default value is |
| enableMetrics | boolean |
Enable or disable OAuth metrics. Default value is |
| httpRetries | integer | The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries. |
| httpRetryPauseMs | integer | The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request. |
| includeAcceptHeader | boolean |
Whether the Accept header should be set in requests to the authorization servers. The default value is |
| maxTokenExpirySeconds | integer | Set or limit time-to-live of the access tokens to the specified number of seconds. This should be set if the authorization server returns opaque tokens. |
| passwordSecret |
Reference to the | |
| readTimeoutSeconds | integer | The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds. |
| refreshToken | Link to OpenShift Secret containing the refresh token which can be used to obtain access token from the authorization server. | |
| scope | string |
OAuth scope to use when authenticating against the authorization server. Some authorization servers require this to be set. The possible values depend on how authorization server is configured. By default |
| tlsTrustedCertificates |
| Trusted certificates for TLS connection to the OAuth server. |
| tokenEndpointUri | string | Authorization server token endpoint URI. |
| type | string |
Must be |
| username | string | Username used for the authentication. |
