Kafka Azure OAuthBearer Login CallbackHandler

This library provides a Kafka login callback handler for Azure Managed Identity with supports for both client certificate and environment variable authentication.

The library is based on the Azure Identity library and is already integrated into Conduktor Console 1.23+ and Conduktor Gateway 3.1+.

Usage

Add the dependency

Check the latest version on the releases page.

Maven

<dependency>
    <groupId>io.conduktor</groupId>
    <artifactId>azure-kafka-oauthbearer</artifactId>
    <version>0.2.0</version>
</dependency>

sbt

libraryDependencies += "io.conduktor" % "azure-kafka-oauthbearer" % "0.2.0"

Client certificate authentication

Use client certificate authentication to retrieve auth token bearer.
More details on Azure identity ClientCertificateCredential documentation

Certificate without passphrase

Use io.conduktor.kafka.security.oauthbearer.azure.AzureManagedIdentityCallbackHandler as the callback handler class and provide the following required parameters in the sasl.jaas.config property :

• clientId : The client id of the service principal
• tenantId : The tenant id of the service principal
• certificate : The path to the pfx or pem certificate file (Note in Console or Gateway, the certificat should be mounted to the container)
• scope : The scope of the token

sasl.login.callback.handler.class=io.conduktor.kafka.security.oauthbearer.azure.AzureManagedIdentityCallbackHandler
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required clientId=<clientId> tenantId=<tenantId> certificate=<pfx/pem cert path> scope="https://<resource>/.default";

Certificate with passphrase

Same as above but with the optional certificatePass parameter to provide the passphrase of the certificate.

sasl.login.callback.handler.class=io.conduktor.kafka.security.oauthbearer.azure.AzureManagedIdentityCallbackHandler
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required clientId=<clientId> tenantId=<tenantId> certificate=<pfx cert path> certificatePass=<cert passphrase> scope="https://<resource>/.default";

Environment variable client certification

Use Azure default environment variables to configure token auth bearer retriever. More details on Azure identity EnvironmentCredential documentation

Use io.conduktor.kafka.security.oauthbearer.azure.AzureManagedIdentityCallbackHandler as the callback handler class and provide the following required parameters in the sasl.jaas.config property :

• scope : The scope of the token

The rest of the parameters are read from the environment variables.

• AZURE_CLIENT_ID / AZURE_CLIENT_SECRET / AZURE_TENANT_ID : for client secret authentication
• AZURE_CLIENT_ID / AZURE_CLIENT_CERTIFICATE_PATH / AZURE_CLIENT_CERTIFICATE_PASSWORD / AZURE_TENANT_ID : for client certificate authentication
• AZURE_CLIENT_ID / AZURE_USERNAME / AZURE_PASSWORD / AZURE_TENANT_ID : for username password authentication

sasl.login.callback.handler.class=io.conduktor.kafka.security.oauthbearer.azure.AzureManagedIdentityCallbackHandler
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required scope="https://<resource>/.default";

Other authentication methods

Other authentication methods are supported yet and could be added in the future.

Contributing

Please read CONTRIBUTING.md for details on our code of conduct, and the process for submitting pull requests to us.