Hi Subra, I'm one of the authors of the OAuth support in Kafka. Answers to your questions are below...
On Tue, Feb 25, 2025, at 3:05 AM, Subra I wrote: > Hello All, > > I see that Kafka by itself supports client credentials as grant type for > OAuth2. I see this mentioned in one of the kafka KIP as well: > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575 > > Is there a way to support other grant types as well? I came across the > following page: > https://cwiki.apache.org/confluence/display/KAFKA/KIP-XXXX%3A+Add+support+for+OAuth+jwt-bearer+grant+type > > Here it says that there is a proposal to support jwt bearer grant type as > well, but no details are mentioned and looks like it may be out only in > future. Yes, that KIP is a work in progress. I'm planning to submit a reviewable version of that KIP in the next couple of weeks. I'd love to get your input on it, so watch this mailing list for when it's made available. > > 1. Any idea when support for jwt bearer grant type will be available? Support for the jwt-bearer grant type is scheduled for inclusion in Kafka 4.1.0, which will come out mid-2025. > 2. Is there a way to support other grant types? Any references for the same? Absolutely! I'm not sure if there's a tutorial for it or anything, though :( You can implement your own AuthenticateCallbackHandler implementation and configure your application's sasl.login.callback.handler.class [1] configuration to your new class. For OAuth, the configuration for the handler class is OAuthBearerLoginCallbackHandler [2], but you can swap in your own. You can take some of the bits you need from the existing implementation if you want. One of the goals of the new KIP is to expose some of the primitives that are used internally by the OAuth callback handler. That will provide some building blocks so that it's easier for individuals to write custom handlers without having to resort to a bunch of code duplication. Let me know if you have additional questions! Thanks, Kirk [1] https://kafka.apache.org/documentation/#producerconfigs_sasl.login.callback.handler.class [2] https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandler.java > Thanks, > Subra >
