Question
Tata Consultancy Services
GB
Last activity: 1 Nov 2023 10:49 EDT
External Kafka Connection: Authentication
We would like to connect to the external Kafka cluster via OAuth 2.0 OpenID Connect authentication.
As per the below article, we didn't see any option for OAuth 2.0 authentication in kafka rule instance.
https://docs-previous.pega.com/decision-management/87/creating-kafka-configuration-instance
Is it possible to authenticate via OAuth 2.0 open id connect authentication in Pega via Kafka rule instance?
***Edited by Moderator Marije to add Capability tags***
Accepted Solution
Updated: 1 Nov 2023 10:49 EDT
Ford Motor Company
US
Evonsys
IN
@Vaisakh.V.A I don't think that is possible with pega ootb kafka instance. We can maintain enough security with broker details, SSL or SASL and property file.
Ford Motor Company
US
OAuth 2.0 security mechanism is not currently supported for the Stream services and not in the roadmap for future releases as well.
OAuth 2.0 is supported for Data-Admin-Kafka instances in Infinity'23 version which is currently available, as this version has Kafka-clients library 3.4.0 version that supports the latest OAuth2 client properties.
INC-A13763
Tata Consultancy Services
GB
Thanks for the reply. Could you please share the client properties which can be used for OAuth 2.0 authentication in kafka instance?
Accepted Solution
Updated: 1 Nov 2023 10:49 EDT
Ford Motor Company
US
@Vaisakh.V.A I haven't tried, but referencing the documentation from Confluent.
In the data instance, give Host and Port address as your Bootstrap Server and associated port, and give below information in your propeties file. The main differenciator is sasl.mechanism=OAUTHBEARER
security.protocol=SASL_SSL
sasl.oauthbearer.token.endpoint.url=https://myidp.example.com/oauth2/default/v1/token
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
sasl.mechanism=OAUTHBEARER
sasl.jaas.config= \
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
clientId='<client ID>' \
scope='<Requested Scope>' \
clientSecret='<Client Secret>' \
extension_logicalCluster='<Cluster ID>' \
extension_identityPoolId='<Pool ID>';
Pegasystems Inc.
GB
@Vaisakh.V.A please could you hit the 'Accept Solution' link against the answer that resolved your question?
@Vaisakh.V.A I haven't tried, but referencing the documentation from Confluent.
In the data instance, give Host and Port address as your Bootstrap Server and associated port, and give below information in your propeties file. The main differenciator is sasl.mechanism=OAUTHBEARER
security.protocol=SASL_SSL
sasl.oauthbearer.token.endpoint.url=https://myidp.example.com/oauth2/default/v1/token
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
sasl.mechanism=OAUTHBEARER
sasl.jaas.config= \
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
clientId='<client ID>' \
scope='<Requested Scope>' \
clientSecret='<Client Secret>' \
extension_logicalCluster='<Cluster ID>' \
extension_identityPoolId='<Pool ID>';