search

strimzi / strimzi-kafka-oauth

OAuth2 support for Apache Kafka® to work with many OAuth2 authorization servers
Apache License 2.0
140 stars 89 forks source link

Support for extensions_ in Oauth2 #227

Open rao2100 opened 6 months ago

rao2100 commented 6 months ago

Are there any plans to add support for Oauth extension_ so that we can use it to connect to confluent cloud. Ideally we want to be able to configure the the following parameters:

bootstrap.servers=<bootstrap URL>
security.protocol=SASL_SSL
sasl.oauthbearer.token.endpoint.url=https://myidp.example.com/oauth2/default/v1/token
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
sasl.mechanism=OAUTHBEARER
sasl.jaas.config= \
  org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
    clientId='<client ID>' \
    scope='<Requested Scope>' \
    clientSecret='<Client Secret>' \
    extension_logicalCluster='<Cluster ID>' \
    extension_identityPoolId='<Pool ID>';

I see that it is already supported in kafka security but not in strimzi. Right now we are not able to configure it strimzi kafka connect as strimzi-kafka-oauth does does not support it.

Strimzi: https://github.com/strimzi/strimzi-kafka-oauth/blob/main/oauth-client/src/main/java/io/strimzi/kafka/oauth/client/JaasClientOauthLoginCallbackHandler.java

Kafka: https://github.com/a0x8o/kafka/blob/master/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandler.java#L177

mstruk commented 6 months ago

We indeed don't support the SASL extensions in our OAuth plugin. I haven't encountered a use-case before where the broker made use of these, so there was no need to support them on the client. Assumption was always that the JaasClientOauthLoginCallbackHandler will always talk to the Kafka cluster that uses JaasServerOauthValidatorCallbackHandler provided by this project, and in such a setup there is no need for SASL extensions. In your case you are connecting to the Kafka cluster that uses a different OAUTHBEARER plugin (AuthenticateCallbackHandler implementation), which relies on SASL extensions.

One obvious solution would be to use the default Kafka OAuth implementation on the client. But I guess that is not possible when using Strimzi Operator with KafkaConnect custom resource. In order to connect to your cluster you need to pass these extra configuration parameters as some kind of client context information separate from the access token.

mstruk commented 6 months ago

Support for SASL extensions has been added. See: #231

rao2100 commented 6 months ago

Very nice, thank you very much @mstruk

Any idea which strimzi operator release this will be included?

Currently we are configuring Strimzi Kafka Connect as below, will there be new config be introduced like in **?

authentication:
    type: oauth
    clientId: kafka-connect
    clientSecret:
      key: secret
      secretName: connect-oauth-secret  
    tokenEndpointUri: https://keycloak.keycloak:8443/auth/realms/master/protocol/openid-connect/token
 **extensions:
      key1: value
      key2: value**