Enable OAuth2/OIDC support for Apache Kafka® REST proxy#
Secure your Apache Kafka® resources by integrating OAuth 2.0/OpenID Connect (OIDC) with the Karapace REST proxy and enabling REST proxy authorization. This setup ensures that only authorized individuals can manage Apache Kafka resources through both token-based authentication and access control rules.
OAuth2/OIDC token handling#
Karapace processes the JSON Web Token (JWT) obtained from the Authorization HTTP header, specifically when employing the Bearer authentication scheme. This allows OAuth2/OIDC credentials to be supplied directly to the REST proxy, which uses the provided token to authorize requests to Apache Kafka. When a Bearer token is presented, Kafka clients configured by Karapace use the SASL OAUTHBEARER mechanism to send the JWT for validation.
Managing token expiry#
With OAuth2/OIDC enabled, Karapace manages Kafka client connections for security and performance. It automatically cleans up idle clients and those with tokens nearing expiration, typically on a 5-minute cycle. This cleanup prevents unauthorized access with expired tokens and clears idle connections.
Before your token expires, remove any linked consumers and producers to avoid security issues and service interruptions. After removal, refresh your OAuth2 JWT tokens and reconnect with the new tokens.
Configure OAuth2/OIDC authentication#
To establish OAuth2/OIDC authentication for the Karapace REST proxy, complete the following prerequisites and configuration steps:
Configuration via Aiven Console#
In Aiven Console, select your project and then choose your Aiven for Apache Kafka® service.
On the Overview page, scroll down to Advanced configuration and select Configure.
In the Advanced configuration screen, select Add configuration options.
kafka_rest_authorizationparameter and set it to
Configuration via Aiven CLI#
To enable REST proxy authorization, use the following command in the Aiven CLI, replacing
SERVICE_NAME with your actual service name:
avn service update -c kafka_rest_authorization=true SERVICE_NAME
Disable REST proxy authorization, use:
avn service update -c kafka_rest_authorization=false SERVICE_NAME
Enabling Apache Kafka REST proxy authorization can disrupt access for users if the Kafka access control rules have not been configured properly. For more information, see Manage Apache Kafka® REST proxy authorization.