Currently, client credentials that we issue to users through https://gcn.nasa.gov/quickstart are good for exactly one group/scope. The reason is that we are transforming the scope claim in the JWT to a Kafka user principal. It would be really convenient if users could check boxes for all of the scopes that they want and to generate a client credential that can be used for any of them.
It looks like there is now support for groups and RBAC using OAUTHBEARER in Confluent Platform although there are some scary warnings about it not being ready for production use.
Acceptance criteria
Adjust Kafka broker config to support bearer tokens with multiple scopes.
lpsinger
commented
2 months ago
Description
Currently, client credentials that we issue to users through https://gcn.nasa.gov/quickstart are good for exactly one group/scope. The reason is that we are transforming the scope claim in the JWT to a Kafka user principal. It would be really convenient if users could check boxes for all of the scopes that they want and to generate a client credential that can be used for any of them.
It looks like there is now support for groups and RBAC using OAUTHBEARER in Confluent Platform although there are some scary warnings about it not being ready for production use.
Acceptance criteria