Chapter 9. KafkaListenerAuthenticationOAuth schema reference

accessTokenIsJwt

boolean

Configure whether the access token is treated as JWT. This must be set to false if the authorization server returns opaque tokens. Defaults to true.

checkAccessTokenType

boolean

Configure whether the access token type check is performed or not. This should be set to false if the authorization server does not include 'typ' claim in JWT token. Defaults to true.

checkAudience

boolean

Enable or disable audience checking. Audience checks identify the recipients of tokens. If audience checking is enabled, the OAuth Client ID also has to be configured using the clientId property. The Kafka broker will reject tokens that do not have its clientId in their aud (audience) claim.Default value is false.

checkIssuer

boolean

Enable or disable issuer checking. By default issuer is checked using the value configured by validIssuerUri. Default value is true.

clientAudience

string

The audience to use when making requests to the authorization server’s token endpoint. Used for inter-broker authentication and for configuring OAuth 2.0 over PLAIN using the clientId and secret method.

clientId

string

OAuth Client ID which the Kafka broker can use to authenticate against the authorization server and use the introspect endpoint URI.

clientScope

string

The scope to use when making requests to the authorization server’s token endpoint. Used for inter-broker authentication and for configuring OAuth 2.0 over PLAIN using the clientId and secret method.

clientSecret

GenericSecretSource

Link to OpenShift Secret containing the OAuth client secret which the Kafka broker can use to authenticate against the authorization server and use the introspect endpoint URI.

connectTimeoutSeconds

integer

The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds.

customClaimCheck

string

JsonPath filter query to be applied to the JWT token or to the response of the introspection endpoint for additional token validation. Not set by default.

disableTlsHostnameVerification

boolean

Enable or disable TLS hostname verification. Default value is false.

enableECDSA

boolean

The enableECDSA property has been deprecated. Enable or disable ECDSA support by installing BouncyCastle crypto provider. ECDSA support is always enabled. The BouncyCastle libraries are no longer packaged with Streams for Apache Kafka. Value is ignored.

enableMetrics

boolean

Enable or disable OAuth metrics. Default value is false.

enableOauthBearer

boolean

Enable or disable OAuth authentication over SASL_OAUTHBEARER. Default value is true.

enablePlain

boolean

Enable or disable OAuth authentication over SASL_PLAIN. There is no re-authentication support when this mechanism is used. Default value is false.

failFast

boolean

Enable or disable termination of Kafka broker processes due to potentially recoverable runtime errors during startup. Default value is true.

fallbackUserNameClaim

string

The fallback username claim to be used for the user id if the claim specified by userNameClaim is not present. This is useful when client_credentials authentication only results in the client id being provided in another claim. It only takes effect if userNameClaim is set.

fallbackUserNamePrefix

string

The prefix to use with the value of fallbackUserNameClaim to construct the user id. This only takes effect if fallbackUserNameClaim is true, and the value is present for the claim. Mapping usernames and client ids into the same user id space is useful in preventing name collisions.

groupsClaim

string

JsonPath query used to extract groups for the user during authentication. Extracted groups can be used by a custom authorizer. By default no groups are extracted.

groupsClaimDelimiter

string

A delimiter used to parse groups when they are extracted as a single String value rather than a JSON array. Default value is ',' (comma).

httpRetries

integer

The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries.

httpRetryPauseMs

integer

The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request.

includeAcceptHeader

boolean

Whether the Accept header should be set in requests to the authorization servers. The default value is true.

introspectionEndpointUri

string

URI of the token introspection endpoint which can be used to validate opaque non-JWT tokens.

jwksEndpointUri

string

URI of the JWKS certificate endpoint, which can be used for local JWT validation.

jwksExpirySeconds

integer

Configures how often are the JWKS certificates considered valid. The expiry interval has to be at least 60 seconds longer then the refresh interval specified in jwksRefreshSeconds. Defaults to 360 seconds.

jwksIgnoreKeyUse

boolean

Flag to ignore the 'use' attribute of key declarations in a JWKS endpoint response. Default value is false.

jwksMinRefreshPauseSeconds

integer

The minimum pause between two consecutive refreshes. When an unknown signing key is encountered the refresh is scheduled immediately, but will always wait for this minimum pause. Defaults to 1 second.

jwksRefreshSeconds

integer

Configures how often are the JWKS certificates refreshed. The refresh interval has to be at least 60 seconds shorter then the expiry interval specified in jwksExpirySeconds. Defaults to 300 seconds.

maxSecondsWithoutReauthentication

integer

Maximum number of seconds the authenticated session remains valid without re-authentication. This enables Apache Kafka re-authentication feature, and causes sessions to expire when the access token expires. If the access token expires before max time or if max time is reached, the client has to re-authenticate, otherwise the server will drop the connection. Not set by default - the authenticated session does not expire when the access token expires. This option only applies to SASL_OAUTHBEARER authentication mechanism (when enableOauthBearer is true).

readTimeoutSeconds

integer

The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds.

tlsTrustedCertificates

CertSecretSource array

Trusted certificates for TLS connection to the OAuth server.

tokenEndpointUri

string

URI of the Token Endpoint to use with SASL_PLAIN mechanism when the client authenticates with clientId and a secret. If set, the client can authenticate over SASL_PLAIN by either setting username to clientId, and setting password to client secret, or by setting username to account username, and password to access token prefixed with $accessToken:. If this option is not set, the password is always interpreted as an access token (without a prefix), and username as the account username (a so called 'no-client-credentials' mode).

type

string

Must be oauth.

userInfoEndpointUri

string

URI of the User Info Endpoint to use as a fallback to obtaining the user id when the Introspection Endpoint does not return information that can be used for the user id.

userNameClaim

string

Name of the claim from the JWT authentication token, Introspection Endpoint response or User Info Endpoint response which will be used to extract the user id. Defaults to sub.

validIssuerUri

string

URI of the token issuer used for authentication.

validTokenType

string

Valid value for the token_type attribute returned by the Introspection Endpoint. No default value, and not checked by default.