Question
External Kafka Connection: Authentication
We would like to connect to the external Kafka cluster via OAuth 2.0 OpenID Connect authentication.
As per the below article, we didn't see any option for OAuth 2.0 authentication in kafka rule instance.
https://docs-previous.pega.com/decision-management/87/creating-kafka-configuration-instance
Is it possible to authenticate via OAuth 2.0 open id connect authentication in Pega via Kafka rule instance?
***Edited by Moderator Marije to add Capability tags***
Accepted Solution
@Vaisakh.V.A I haven't tried, but referencing the documentation from Confluent.
In the data instance, give Host and Port address as your Bootstrap Server and associated port, and give below information in your propeties file. The main differenciator is sasl.mechanism=OAUTHBEARER
security.protocol=SASL_SSL sasl.oauthbearer.token.endpoint.url=https://myidp.example.com/oauth2/default/v1/token sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler sasl.mechanism=OAUTHBEARER sasl.jaas.config= \ org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ clientId='<client ID>' \ scope='<Requested Scope>' \ clientSecret='<Client Secret>' \ extension_logicalCluster='<Cluster ID>' \ extension_identityPoolId='<Pool ID>';
@Vaisakh.V.A I don't think that is possible with pega ootb kafka instance. We can maintain enough security with broker details, SSL or SASL and property file.
OAuth 2.0 security mechanism is not currently supported for the Stream services and not in the roadmap for future releases as well.
OAuth 2.0 is supported for Data-Admin-Kafka instances in Infinity'23 version which is currently available, as this version has Kafka-clients library 3.4.0 version that supports the latest OAuth2 client properties.
INC-A13763
Thanks for the reply. Could you please share the client properties which can be used for OAuth 2.0 authentication in kafka instance?
Accepted Solution
@Vaisakh.V.A I haven't tried, but referencing the documentation from Confluent.
In the data instance, give Host and Port address as your Bootstrap Server and associated port, and give below information in your propeties file. The main differenciator is sasl.mechanism=OAUTHBEARER
security.protocol=SASL_SSL sasl.oauthbearer.token.endpoint.url=https://myidp.example.com/oauth2/default/v1/token sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler sasl.mechanism=OAUTHBEARER sasl.jaas.config= \ org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \ clientId='<client ID>' \ scope='<Requested Scope>' \ clientSecret='<Client Secret>' \ extension_logicalCluster='<Cluster ID>' \ extension_identityPoolId='<Pool ID>';
@Vaisakh.V.A please could you hit the 'Accept Solution' link against the answer that resolved your question?