Chapter 9. KafkaListenerAuthenticationOAuth schema reference

type

string

Must be oauth.

clientId

string

OAuth Client ID which the Kafka broker can use to authenticate against the authorization server and use the introspect endpoint URI.

clientSecret

GenericSecretSource

Link to OpenShift Secret containing the OAuth client secret which the Kafka broker can use to authenticate against the authorization server and use the introspect endpoint URI.

validIssuerUri

string

URI of the token issuer used for authentication.

checkIssuer

boolean

Enable or disable issuer checking. By default issuer is checked using the value configured by validIssuerUri. Default value is true.

checkAudience

boolean

Enable or disable audience checking. Audience checks identify the recipients of tokens. If audience checking is enabled, the OAuth Client ID also has to be configured using the clientId property. The Kafka broker will reject tokens that do not have its clientId in their aud (audience) claim.Default value is false.

jwksEndpointUri

string

URI of the JWKS certificate endpoint, which can be used for local JWT validation.

jwksRefreshSeconds

integer

Configures how often are the JWKS certificates refreshed. The refresh interval has to be at least 60 seconds shorter then the expiry interval specified in jwksExpirySeconds. Defaults to 300 seconds.

jwksMinRefreshPauseSeconds

integer

The minimum pause between two consecutive refreshes. When an unknown signing key is encountered the refresh is scheduled immediately, but will always wait for this minimum pause. Defaults to 1 second.

jwksExpirySeconds

integer

Configures how often are the JWKS certificates considered valid. The expiry interval has to be at least 60 seconds longer then the refresh interval specified in jwksRefreshSeconds. Defaults to 360 seconds.

jwksIgnoreKeyUse

boolean

Flag to ignore the 'use' attribute of key declarations in a JWKS endpoint response. Default value is false.

introspectionEndpointUri

string

URI of the token introspection endpoint which can be used to validate opaque non-JWT tokens.

userNameClaim

string

Name of the claim from the JWT authentication token, Introspection Endpoint response or User Info Endpoint response which will be used to extract the user id. Defaults to sub.

fallbackUserNameClaim

string

The fallback username claim to be used for the user ID if the claim specified by userNameClaim is not present. This is useful when client_credentials authentication only results in the client ID being provided in another claim. It only takes effect if userNameClaim is set.

fallbackUserNamePrefix

string

The prefix to use with the value of fallbackUserNameClaim to construct the user id. This only takes effect if fallbackUserNameClaim is true, and the value is present for the claim. Mapping usernames and client ids into the same user id space is useful in preventing name collisions.

groupsClaim

string

JsonPath query used to extract groups for the user during authentication. Extracted groups can be used by a custom authorizer. By default no groups are extracted.

groupsClaimDelimiter

string

A delimiter used to parse groups when they are extracted as a single String value rather than a JSON array. Default value is ',' (comma).

userInfoEndpointUri

string

URI of the User Info Endpoint to use as a fallback to obtaining the user id when the Introspection Endpoint does not return information that can be used for the user id.

checkAccessTokenType

boolean

Configure whether the access token type check is performed or not. This should be set to false if the authorization server does not include 'typ' claim in JWT token. Defaults to true.

validTokenType

string

Valid value for the token_type attribute returned by the Introspection Endpoint. No default value, and not checked by default.

accessTokenIsJwt

boolean

Configure whether the access token is treated as JWT. This must be set to false if the authorization server returns opaque tokens. Defaults to true.

tlsTrustedCertificates

CertSecretSource array

Trusted certificates for TLS connection to the OAuth server.

disableTlsHostnameVerification

boolean

Enable or disable TLS hostname verification. Default value is false.

enableECDSA

boolean

The enableECDSA property has been deprecated. Enable or disable ECDSA support by installing BouncyCastle crypto provider. ECDSA support is always enabled. The BouncyCastle libraries are no longer packaged with Streams for Apache Kafka. Value is ignored.

maxSecondsWithoutReauthentication

integer

Maximum number of seconds the authenticated session remains valid without re-authentication. This enables Apache Kafka re-authentication feature, and causes sessions to expire when the access token expires. If the access token expires before max time or if max time is reached, the client has to re-authenticate, otherwise the server will drop the connection. Not set by default - the authenticated session does not expire when the access token expires. This option only applies to SASL_OAUTHBEARER authentication mechanism (when enableOauthBearer is true).

enablePlain

boolean

Enable or disable OAuth authentication over SASL_PLAIN. There is no re-authentication support when this mechanism is used. Default value is false.

tokenEndpointUri

string

URI of the Token Endpoint to use with SASL_PLAIN mechanism when the client authenticates with clientId and a secret. If set, the client can authenticate over SASL_PLAIN by either setting username to clientId, and setting password to client secret, or by setting username to account username, and password to access token prefixed with $accessToken:. If this option is not set, the password is always interpreted as an access token (without a prefix), and username as the account username (a so called 'no-client-credentials' mode).

enableOauthBearer

boolean

Enable or disable OAuth authentication over SASL_OAUTHBEARER. Default value is true.

customClaimCheck

string

JsonPath filter query to be applied to the JWT token or to the response of the introspection endpoint for additional token validation. Not set by default.

connectTimeoutSeconds

integer

The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds.

readTimeoutSeconds

integer

The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds.

httpRetries

integer

The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries.

httpRetryPauseMs

integer

The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request.

clientScope

string

The scope to use when making requests to the authorization server’s token endpoint. Used for inter-broker authentication and for configuring OAuth 2.0 over PLAIN using the clientId and secret method.

clientAudience

string

The audience to use when making requests to the authorization server’s token endpoint. Used for inter-broker authentication and for configuring OAuth 2.0 over PLAIN using the clientId and secret method.

enableMetrics

boolean

Enable or disable OAuth metrics. Default value is false.

failFast

boolean

Enable or disable termination of Kafka broker processes due to potentially recoverable runtime errors during startup. Default value is true.

includeAcceptHeader

boolean

Whether the Accept header should be set in requests to the authorization servers. The default value is true.

serverBearerTokenLocation

string

Path to the file on the local filesystem that contains a bearer token to be used instead of client ID and secret when authenticating to authorization server.

userNamePrefix

string

The prefix to use with the value of userNameClaim to construct the user ID. This only takes effect if userNameClaim is specified and the value is present for the claim. When used in combination with fallbackUserNameClaims, it ensures consistent mapping of usernames and client IDs into the same user ID space and prevents name collisions.