Hi Subra, On Thu, Feb 27, 2025, at 5:41 AM, Subra I wrote: > Thanks for the response Kirk. I will look at the links shared as well. > > It is clear from the earlier links that as of now, Kafka only supports > client credentials grant type by default. Am I right? (Unless we do a > custom implementation as mentioned by you)
That is correct. If you do end up writing another implementation, it would be great if it could be contributed back to the community. I'd love to see more additions in this area. Thanks, Kirk > On Wed, Feb 26, 2025 at 11:46 PM Kirk True <k...@kirktrue.pro> wrote: > > > Hi Subra, > > > > I'm one of the authors of the OAuth support in Kafka. Answers to your > > questions are below... > > > > On Tue, Feb 25, 2025, at 3:05 AM, Subra I wrote: > > > Hello All, > > > > > > I see that Kafka by itself supports client credentials as grant type for > > > OAuth2. I see this mentioned in one of the kafka KIP as well: > > > > > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575 > > > > > > Is there a way to support other grant types as well? I came across the > > > following page: > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-XXXX%3A+Add+support+for+OAuth+jwt-bearer+grant+type > > > > > > Here it says that there is a proposal to support jwt bearer grant type as > > > well, but no details are mentioned and looks like it may be out only in > > > future. > > > > Yes, that KIP is a work in progress. I'm planning to submit a reviewable > > version of that KIP in the next couple of weeks. I'd love to get your input > > on it, so watch this mailing list for when it's made available. > > > > > > > > 1. Any idea when support for jwt bearer grant type will be available? > > > > Support for the jwt-bearer grant type is scheduled for inclusion in Kafka > > 4.1.0, which will come out mid-2025. > > > > > 2. Is there a way to support other grant types? Any references for the > > same? > > > > Absolutely! I'm not sure if there's a tutorial for it or anything, though > > :( > > > > You can implement your own AuthenticateCallbackHandler implementation and > > configure your application's sasl.login.callback.handler.class [1] > > configuration to your new class. For OAuth, the configuration for the > > handler class is OAuthBearerLoginCallbackHandler [2], but you can swap in > > your own. You can take some of the bits you need from the existing > > implementation if you want. > > > > One of the goals of the new KIP is to expose some of the primitives that > > are used internally by the OAuth callback handler. That will provide some > > building blocks so that it's easier for individuals to write custom > > handlers without having to resort to a bunch of code duplication. > > > > Let me know if you have additional questions! > > > > Thanks, > > Kirk > > > > [1] > > https://kafka.apache.org/documentation/#producerconfigs_sasl.login.callback.handler.class > > [2] > > https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/OAuthBearerLoginCallbackHandler.java > > > > > > > Thanks, > > > Subra > > > > > >
