OAuth2¶
Generic configuration¶
In general, the structure of the Oauth2 config looks as follows:
auth:
type: OAUTH2
oauth2:
client:
<unique_name>:
clientId: xxx
clientSecret: yyy
scope: openid
client-name: cognito # will be displayed on the login page
provider: <provider>
redirect-uri: http://localhost:8080/login/oauth2/code/<provider>
authorization-grant-type: authorization_code
issuer-uri: <issuer-uri>
jwk-set-uri: <jwk-set-uri>
user-name-attribute: <zzz>
custom-params:
type: <provider_type> # fill this if you're gonna use RBAC. Supported values: cognito, google, github, oauth (for other generic providers)
roles-field: groups # required for RBAC, a field name in OAuth token which will contain user's roles/groups
Service Discovery¶
For specific providers like Github (non-enterprise) and Google (see the current list), you don't have to specify URIs as they're well known.
Furthermore, other providers that support OIDC Service Discovery allow fetching URIs configuration from a /.well-known/openid-configuration endpoint. Depending on your setup, you may only have to set the issuer-uri of your provider to enable OIDC Service Discovery.
Provider config examples¶
Cognito¶
kafka:
clusters:
- name: local
bootstrapServers: localhost:9092
# ...
auth:
type: OAUTH2
oauth2:
client:
cognito:
clientId: xxx
clientSecret: yyy
scope: openid
client-name: cognito
provider: cognito
redirect-uri: http://localhost:8080/login/oauth2/code/cognito
authorization-grant-type: authorization_code
issuer-uri: <cognito-issuer-uri>
jwk-set-uri: <cognito-jwk-set-uri>
user-name-attribute: cognito:username
custom-params:
type: cognito
logoutUrl: <cognito-logout-url> # required just for cognito
Google¶
kafka:
clusters:
- name: local
bootstrapServers: localhost:9092
# ...
auth:
type: OAUTH2
oauth2:
client:
google:
provider: google
clientId: xxx.apps.googleusercontent.com
clientSecret: GOCSPX-xxx
user-name-attribute: email
custom-params:
type: google
allowedDomain: provectus.com # for RBAC
Azure¶
kafka:
clusters:
- name: local
bootstrapServers: localhost:9092
# ...
auth:
type: OAUTH2
oauth2:
client:
azure:
clientId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
clientSecret: "somesecret"
scope: openid
client-name: azure
provider: azure
issuer-uri: "https://login.microsoftonline.com/{tenant_id}/v2.0"
jwk-set-uri: "https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys"
GitHub¶
Example of callback URL for github OAuth app settings:
<your-kafka-ui-base-url>/login/oauth2/code/github
For the self-hosted installation find the properties a little bit below.
kafka:
clusters:
- name: local
bootstrapServers: localhost:9092
# ...
auth:
type: OAUTH2
oauth2:
client:
github:
provider: github
clientId: xxx
clientSecret: yyy
scope: read:org
user-name-attribute: login
custom-params:
type: github
Self-hosted/Cloud (GitHub Enterprise Server)¶
Replace HOSTNAME by your self-hosted platform FQDN.
kafka:
clusters:
- name: local
bootstrapServers: localhost:9092
# ...
auth:
type: OAUTH2
oauth2:
client:
github:
provider: github
clientId: xxx
clientSecret: yyy
scope: read:org
user-name-attribute: login
authorization-uri: http(s)://HOSTNAME/login/oauth/authorize
token-uri: http(s)://HOSTNAME/login/oauth/access_token
user-info-uri: http(s)://HOSTNAME/api/v3/user
custom-params:
type: github
Okta¶
auth:
type: OAUTH2
oauth2:
client:
okta:
clientId: xxx
clientSecret: yyy
scope: [ 'openid', 'profile', 'email', 'groups' ] # default for okta + groups for rbac
client-name: Okta
provider: okta
redirect-uri: http://localhost:8080/login/oauth2/code/okta
authorization-grant-type: authorization_code
issuer-uri: https://<okta_domain>.okta.com
jwk-set-uri: <jwk-set-uri>
user-name-attribute: sub # default for okta, "email" also available
custom-params:
type: oauth
roles-field: groups # required for RBAC
Keycloak¶
auth:
type: OAUTH2
oauth2:
client:
keycloak:
clientId: xxx
clientSecret: yyy
scope: openid
issuer-uri: https://<keycloak_instance>/auth/realms/<realm>
user-name-attribute: preferred_username
client-name: keycloak
provider: keycloak
custom-params:
type: keycloak