Configure Metadata Service (MDS) for OAuth Authentication in Confluent Platform

Overview

This guide provides the necessary steps to configure Metadata Service (MDS) for OAuth authentication in Confluent Platform clusters. It covers configurations to support OAuth with and without LDAP, and for CLI SSO, as well as configuring MDS clients.

Configure MDS to Support OAuth

• Configuration Settings for OAuth on MDS:

  • Enable IdP-issued OAuth token validation in MDS.
  • Replace placeholder values with actual configuration values.
  • Key configuration parameters:
    • confluent.metadata.server.oauthbearer.jwks.endpoint.url=<idp-jwks-endpoint>
    • confluent.metadata.server.oauthbearer.expected.issuer=<idp-issuer>
    • confluent.metadata.server.oauthbearer.expected.audience=Confluent,api://default,https://my-company.com
    • confluent.metadata.server.oauthbearer.sub.claim.name=sub
    • confluent.metadata.server.oauthbearer.groups.claim.name=groups

• Truststore Configuration

  • Configure truststore for MDS when identity provider uses self-signed certificates for SSL.

Configure MDS to Enable OAuth Without LDAP

• Important Notes:
  • HTTP Basic authentication (username:password) is not supported.
  • Use a token from your identity provider or a Confluent-issued token to interact with MDS.
  • Configuration: confluent.metadata.server.user.store=OAUTH

Configure MDS to Enable OAuth with LDAP

• Use Case:
  • Adds OAuth support without removing LDAP.
  • Useful for client migration scenarios.
  • Configuration: confluent.metadata.server.user.store=LDAP_WITH_OAUTH

Configure MDS for CLI SSO

• Configuration for CLI SSO:
  • Extend C3 SSO configuration with one extra configuration.
  • Add confluent.oidc.idp.device.authorization.endpoint.uri=<idp-device-auth-endpoint>

Configure MDS Clients

• Connection Flow:
  • MDS clients (e.g., Confluent Control Center, Schema Registry, Connect) should obtain a JWT from their identity provider.
  • Example curl request to get the token: curl -X POST \ -H "Authorization: Basic <base-64-encoded client-id:client-secret>" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=client_credentials" \ -d "scope=groups" \ <idp-token-endpoint>
  • After receiving the token, include it as Authorization when calling MDS.
  • Example request to MDS: curl -X GET "http://localhost:8090/security/1.0/roles" \ -H "accept: application/json" \ -H "Authorization: Bearer <bearer-token>"

Related Content

• Configure Truststores for TLS Handshake with Identity Providers
• Metadata Service Configuration Settings
• Use OAuth/OIDC for Authentication in Confluent Platform
• Use SASL/OAUTHBEARER Authentication between Confluent Server Brokers and Kafka Clients in Confluent Platform