Thanks for the response Kirk. I will look at the links shared as well. It is clear from the earlier links that as of now, Kafka only supports client credentials grant type by default. Am I right? (Unless we do a custom implementation as mentioned by you)
On Wed, Feb 26, 2025 at 11:46 PM Kirk True <k...@kirktrue.pro> wrote: > Hi Subra, > > I'm one of the authors of the OAuth support in Kafka. Answers to your > questions are below... > > On Tue, Feb 25, 2025, at 3:05 AM, Subra I wrote: > > Hello All, > > > > I see that Kafka by itself supports client credentials as grant type for > > OAuth2. I see this mentioned in one of the kafka KIP as well: > > > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575 > > > > Is there a way to support other grant types as well? I came across the > > following page: > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-XXXX%3A+Add+support+for+OAuth+jwt-bearer+grant+type > > > > Here it says that there is a proposal to support jwt bearer grant type as > > well, but no details are mentioned and looks like it may be out only in > > future. > > Yes, that KIP is a work in progress. I'm planning to submit a reviewable > version of that KIP in the next couple of weeks. I'd love to get your input > on it, so watch this mailing list for when it's made available. > > > > > 1. Any idea when support for jwt bearer grant type will be available? > > Support for the jwt-bearer grant type is scheduled for inclusion in Kafka > 4.1.0, which will come out mid-2025. > > > 2. Is there a way to support other grant types? Any references for the > same? > > Absolutely! I'm not sure if there's a tutorial for it or anything, though > :( > > You can implement your own AuthenticateCallbackHandler implementation and > configure your application's sasl.login.callback.handler.class [1] > configuration to your new class. For OAuth, the configuration for the > handler class is OAuthBearerLoginCallbackHandler [2], but you can swap in > your own. You can take some of the bits you need from the existing > implementation if you want. > > One of the goals of the new KIP is to expose some of the primitives that > are used internally by the OAuth callback handler. That will provide some > building blocks so that it's easier for individuals to write custom > handlers without having to resort to a bunch of code duplication. > > Let me know if you have additional questions! > > Thanks, > Kirk > > [1] > https://kafka.apache.org/documentation/#producerconfigs_sasl.login.callback.handler.class > [2] > https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandler.java > > > > Thanks, > > Subra > > >
