Kafka setup with OAuth2 for client-broker and PLAINTEXT for inter-broker

Fri, 16 May 2025 03:19:27 -0700 

Hi All,

I am trying to have a kafka configuration where we use *OAuth2 for client
broker communication and PLAINTEXT for inter broker communication. Kafa
broker should not need to talk to the OAuth server. *

THis is what the configuration looks like:

advertised.listeners is set to SASL_PLAINTEXT and PLAINTEXT.

inter.broker.listener.name=PLAINTEXT
sasl.enabled.mechanisms=OAUTHBEARER
listener.name.sasl_plaintext.sasl.enabled.mechanisms=OAUTHBEARER
listener.name.sasl_plaintext.oauthbearer.sasl.server.callback.handler.class=org.apache.kafka.common.security.oauthbearer.OAuthBearerValidatorCallbackHandler
#listener.name.sasl_plaintext.oauthbearer.sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
#listener.name.sasl_plaintext.oauthbearer.sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule
required clientId='clientId' clientSecret='clientSecret' scope='myscope';
#listener.name.sasl_plaintext.sasl.oauthbearer.token.endpoint.url=
https://oauth-server:443/oauth2/v1/token

#Local JWKS
listener.name.sasl_plaintext.sasl.oauthbearer.jwks.endpoint.url=file:/C:/jwksLocal.json


listener.name.sasl_plaintext.sasl.oauthbearer.expected.audience=eps
listener.name.sasl_plaintext.sasl.oauthbearer.expected.issuer=
https://ioauth.cloud.com/

However, with this, I get an exception while starting kafka broker:

j*ava.lang.IllegalArgumentException: Could not find a 'KafkaServer' or
'sasl_plaintext.KafkaServer' entry in the JAAS configuration. System
property 'java.security.auth.login.config' is not set*

What could be the issue here?

I read in some sources that you can set the above configuration. I want
OAuth2 to be used only for client-broker. I am using a JWKS file URL so
there should be no need to access the OAuth server. AFAIK, token URL is
used only by client and in this case, since inter broker communication uses
PLAINTEXT, that should not be an issue either if I comment that or the
sasl.jaas.config. I am not sure why exactly it is even trying to look for
auth.login.config here.
End goal is kafka broker should not need to access the  OAuth2 server.

Please let me know if it is possible.

Thanks,
Subra

Reply via email to