Ce contenu n'est pas disponible dans la langue sélectionnée.
Chapter 9. KafkaListenerAuthenticationOAuth schema reference
Used in: GenericKafkaListener
The type
property is a discriminator that distinguishes use of the KafkaListenerAuthenticationOAuth
type from KafkaListenerAuthenticationTls
, KafkaListenerAuthenticationScramSha512
, KafkaListenerAuthenticationCustom
. It must have the value oauth
for the type KafkaListenerAuthenticationOAuth
.
Property | Property type | Description |
---|---|---|
accessTokenIsJwt | boolean |
Configure whether the access token is treated as JWT. This must be set to |
checkAccessTokenType | boolean |
Configure whether the access token type check is performed or not. This should be set to |
checkAudience | boolean |
Enable or disable audience checking. Audience checks identify the recipients of tokens. If audience checking is enabled, the OAuth Client ID also has to be configured using the |
checkIssuer | boolean |
Enable or disable issuer checking. By default issuer is checked using the value configured by |
clientAudience | string |
The audience to use when making requests to the authorization server’s token endpoint. Used for inter-broker authentication and for configuring OAuth 2.0 over PLAIN using the |
clientId | string | OAuth Client ID which the Kafka broker can use to authenticate against the authorization server and use the introspect endpoint URI. |
clientScope | string |
The scope to use when making requests to the authorization server’s token endpoint. Used for inter-broker authentication and for configuring OAuth 2.0 over PLAIN using the |
clientSecret | Link to OpenShift Secret containing the OAuth client secret which the Kafka broker can use to authenticate against the authorization server and use the introspect endpoint URI. | |
connectTimeoutSeconds | integer | The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds. |
customClaimCheck | string | JsonPath filter query to be applied to the JWT token or to the response of the introspection endpoint for additional token validation. Not set by default. |
disableTlsHostnameVerification | boolean |
Enable or disable TLS hostname verification. Default value is |
enableECDSA | boolean |
The |
enableMetrics | boolean |
Enable or disable OAuth metrics. Default value is |
enableOauthBearer | boolean |
Enable or disable OAuth authentication over SASL_OAUTHBEARER. Default value is |
enablePlain | boolean |
Enable or disable OAuth authentication over SASL_PLAIN. There is no re-authentication support when this mechanism is used. Default value is |
failFast | boolean |
Enable or disable termination of Kafka broker processes due to potentially recoverable runtime errors during startup. Default value is |
fallbackUserNameClaim | string |
The fallback username claim to be used for the user id if the claim specified by |
fallbackUserNamePrefix | string |
The prefix to use with the value of |
groupsClaim | string | JsonPath query used to extract groups for the user during authentication. Extracted groups can be used by a custom authorizer. By default no groups are extracted. |
groupsClaimDelimiter | string | A delimiter used to parse groups when they are extracted as a single String value rather than a JSON array. Default value is ',' (comma). |
httpRetries | integer | The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries. |
httpRetryPauseMs | integer | The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request. |
includeAcceptHeader | boolean |
Whether the Accept header should be set in requests to the authorization servers. The default value is |
introspectionEndpointUri | string | URI of the token introspection endpoint which can be used to validate opaque non-JWT tokens. |
jwksEndpointUri | string | URI of the JWKS certificate endpoint, which can be used for local JWT validation. |
jwksExpirySeconds | integer |
Configures how often are the JWKS certificates considered valid. The expiry interval has to be at least 60 seconds longer then the refresh interval specified in |
jwksIgnoreKeyUse | boolean |
Flag to ignore the 'use' attribute of |
jwksMinRefreshPauseSeconds | integer | The minimum pause between two consecutive refreshes. When an unknown signing key is encountered the refresh is scheduled immediately, but will always wait for this minimum pause. Defaults to 1 second. |
jwksRefreshSeconds | integer |
Configures how often are the JWKS certificates refreshed. The refresh interval has to be at least 60 seconds shorter then the expiry interval specified in |
maxSecondsWithoutReauthentication | integer |
Maximum number of seconds the authenticated session remains valid without re-authentication. This enables Apache Kafka re-authentication feature, and causes sessions to expire when the access token expires. If the access token expires before max time or if max time is reached, the client has to re-authenticate, otherwise the server will drop the connection. Not set by default - the authenticated session does not expire when the access token expires. This option only applies to SASL_OAUTHBEARER authentication mechanism (when |
readTimeoutSeconds | integer | The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds. |
tlsTrustedCertificates |
| Trusted certificates for TLS connection to the OAuth server. |
tokenEndpointUri | string |
URI of the Token Endpoint to use with SASL_PLAIN mechanism when the client authenticates with |
type | string |
Must be |
userInfoEndpointUri | string | URI of the User Info Endpoint to use as a fallback to obtaining the user id when the Introspection Endpoint does not return information that can be used for the user id. |
userNameClaim | string |
Name of the claim from the JWT authentication token, Introspection Endpoint response or User Info Endpoint response which will be used to extract the user id. Defaults to |
validIssuerUri | string | URI of the token issuer used for authentication. |
validTokenType | string |
Valid value for the |