You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "Kirk True (Jira)" <ji...@apache.org> on 2021/08/13 19:48:00 UTC

[jira] [Created] (KAFKA-13202) KIP-768: Extend SASL/OAUTHBEARER with Support for OIDC

Kirk True created KAFKA-13202:
---------------------------------

             Summary: KIP-768: Extend SASL/OAUTHBEARER with Support for OIDC
                 Key: KAFKA-13202
                 URL: https://issues.apache.org/jira/browse/KAFKA-13202
             Project: Kafka
          Issue Type: New Feature
          Components: clients, security
            Reporter: Kirk True
            Assignee: Kirk True


This task is to provide a concrete implementation of the interfaces defined in [KIP-255|https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=75968876] to allow Kafka to connect to an [OAuth|https://en.wikipedia.org/wiki/OAuth] / [OIDC|https://en.wikipedia.org/wiki/OpenID#OpenID_Connect_(OIDC)] identity provider for authentication and token retrieval. While KIP-255 provides an unsecured JWT example for development, this will fill in the gap and provide a production-grade implementation.

The OAuth/OIDC work will allow out-of-the-box configuration by any Apache Kafka users to connect to an external identity provider service (e.g. Okta, Auth0, Azure, etc.). The code will implement the standard OAuth {{clientcredentials}} grant type.

The proposed change is largely composed of a pair of {{AuthenticateCallbackHandler}} implementations: one to login on the client and one to validate on the broker.

See [KIP-768: Extend SASL/OAUTHBEARER with Support for OIDC|https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575] for more detail.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)