Chapter 2. Enhancements

For an overview of the enhancements introduced with Kafka 2.7.0, refer to the Kafka 2.7.0 Release Notes.

This release includes the following enhancements to OAuth 2.0 token-based authentication and authorization.

Checks on JWT access tokens

You can now configure two additional checks on JWT access tokens. Both of these checks are configured in the OAuth 2.0 authentication listener configuration.

If an access token does not contain the necessary data, it is rejected. When using introspection endpoint token validation, the custom check is applied to the introspection endpoint response JSON.

To configure custom claim checks, add the oauth.custom.claim.check option to the server.properties file and define a JsonPath filter query. Custom claim checks are disabled by default.

See Configuring OAuth 2.0 support for Kafka brokers

When audience checks are enabled, the Kafka broker rejects tokens that do not contain the broker’s clientId in their aud claims.

To enable audience checks, set the oauth.check.audience option to true. Audience checks are disabled by default.

See Configuring OAuth 2.0 support for Kafka brokers

Support for OAuth 2.0 over SASL PLAIN authentication

You can now configure the PLAIN mechanism for OAuth 2.0 authentication between Kafka clients and Kafka brokers. Previously, the only supported authentication mechanism was OAUTHBEARER.

PLAIN is a simple authentication mechanism supported by all Kafka client tools (including developer tools such as kafkacat). AMQ Streams includes server-side callbacks that enable PLAIN to be used with OAuth 2.0 authentication. These capabilities are referred to as OAuth 2.0 over PLAIN.

When used with the provided OAuth 2.0 over PLAIN callbacks, Kafka clients can authenticate with Kafka brokers using either of the following methods:

To use PLAIN, you must enable it in the server.properties file, in the OAuth authentication listener configuration.

See OAuth 2.0 authentication mechanisms and Configuring OAuth 2.0 support for Kafka brokers