Chapter 2. Enhancements

The enhancements added in this release are outlined below.

2.1. Kafka 2.5.0 enhancements

For an overview of the enhancements introduced with Kafka 2.5.0, refer to the Kafka 2.5.0 Release Notes.

2.2. Expanded OAuth 2.0 authentication configuration options

New configuration options make it possible to integrate with a wider set of authorization servers.

Depending on how you apply OAuth 2.0 authentication, and the type of authorization server, there are additional (optional) configuration settings you can use.

Additional configuration options for Kafka brokers required \
  # ...
  oauth.check.issuer=false \ 1
  oauth.fallback.username.claim="CLIENT-ID" \ 2
  oauth.fallback.username.prefix="CLIENT-ACCOUNT" \ 3
  oauth.valid.token.type="bearer" \ 4
  oauth.userinfo.endpoint.uri="https:://AUTH-SERVER-ADDRESS/userinfo" ; 5

If your authorization server does not provide an iss claim, it is not possible to perform an issuer check. In this situation, set oauth.check.issuer to false and do not specify a oauth.valid.issuer.uri. Default is true.
An authorization server may not provide a single attribute to identify both regular users and clients. A client authenticating in its own name might provide a client ID. But a user authenticating using a username and password, to obtain a refresh token or an access token, might provide a username attribute in addition to a client ID. Use this fallback option to specify the username claim (attribute) to use if a primary user ID attribute is not available.
In situations where oauth.fallback.username.claim is applicable, it may also be necessary to prevent name collisions between the values of the username claim, and those of the fallback username claim. Consider a situation where a client called producer exists, but also a regular user called producer exists. In order to differentiate between the two, you can use this property to add a prefix to the user ID of the client.
(Only applicable when using an introspection endpoint URI) Depending on the authorization server you are using, the introspection endpoint may or may not return the token type attribute, or it may contain different values. You can specify a valid token type value that the response from the introspection endpoint has to contain.
(Only applicable when using an introspection endpoint URI) The authorization server may be configured or implemented in such a way to not provide any identifiable information in an introspection endpoint response. In order to obtain the user ID, you can configure the URI of the userinfo endpoint as a fallback. The oauth.fallback.username.claim, oauth.fallback.username.claim, and oauth.fallback.username.prefix settings are applied to the response of the userinfo endpoint.

Additional configuration options for Kafka components

# ...
System.setProperty(ClientConfig.OAUTH_SCOPE, "SCOPE-VALUE") 1

(Optional) The scope for requesting the token from the token endpoint. An authorization server may require a client to specify the scope.

See Configuring OAuth 2.0 support for Kafka brokers and Configuring Kafka Java clients to use OAuth 2.0.

2.3. Cross-Origin Resource Sharing (CORS) for Kafka Bridge

You can now enable and define access control for the Kafka Bridge through Cross-Origin Resource Sharing (CORS). CORS is a HTTP mechanism that allows browser access to selected resources from more than one origin. To configure CORS, you define a list of allowed resource origins and HTTP methods to access them. Additional HTTP headers in requests describe the origins that are permitted access to the Kafka cluster.

HTTP configuration for the Kafka Bridge

http.cors.enabled=true 1
http.cors.allowedOrigins= 2
http.cors.allowedMethods=GET,POST,PUT,DELETE,OPTIONS,PATCH 3

Set to true to enable CORS.
Comma-separated list of allowed CORS origins. You can use a URL or a Java regular expression.
Comma-separated list of allowed HTTP methods for CORS.

See Kafka Bridge HTTP configuration.