Skip to content

KAFKA-18608: Add documentation for OAuth client assertion authentication (KIP-1258)#21859

Merged
omkreddy merged 1 commit intoapache:trunkfrom
prabhashkr:KIP-1258-docs
Mar 30, 2026
Merged

KAFKA-18608: Add documentation for OAuth client assertion authentication (KIP-1258)#21859
omkreddy merged 1 commit intoapache:trunkfrom
prabhashkr:KIP-1258-docs

Conversation

@prabhashkr
Copy link
Copy Markdown
Contributor

@prabhashkr prabhashkr commented Mar 24, 2026

  • Add documentation for client assertion authentication support in the client_credentials grant type, introduced in https://cwiki.apache.org/confluence/display/KAFKA/KIP-1258 / PR KAFKA-18608: Add Support for OAuth Client Assertion to client_credentials Grant Type #21483
  • Document the three-tier fallback mechanism (file-based assertion > locally-generated assertion > client secret)
  • Add configuration examples for dynamically-generated assertions, pre-generated assertion files, and assertion template files
  • Clarify that DefaultJwtRetriever auto-delegates to ClientCredentialsJwtRetriever for HTTP/HTTPS endpoints, so sasl.oauthbearer.jwt.retriever.class does not need to be set explicitly in most cases
  • Update "Secure/Production Use" section to reference built-in JWT retriever implementations
  • Add security considerations for client assertion (replay protection via JTI, short-lived assertions)

@github-actions github-actions bot added docs small Small PRs triage PRs from the community labels Mar 24, 2026
kirktrue
kirktrue approved these changes Mar 28, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@kirktrue kirktrue left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @prabhashkr. This is a lot better than before!

@github-actions github-actions bot removed the triage PRs from the community label Mar 28, 2026
@omkreddy omkreddy merged commit a26b2fd into apache:trunk Mar 30, 2026
2 checks passed
omkreddy pushed a commit that referenced this pull request Mar 30, 2026
@prabhashkr @omkreddy
KAFKA-18608: Add documentation for OAuth client assertion authentica…
7a62d9f 
…tion (KIP-1258) (#21859)

- Add documentation for client assertion authentication support in the
client_credentials grant type, introduced in
https://cwiki.apache.org/confluence/display/KAFKA/KIP-1258 / PR #21483
- Document the three-tier fallback mechanism (file-based assertion >
locally-generated assertion > client secret)
- Add configuration examples for dynamically-generated assertions,
pre-generated assertion files, and assertion template files
- Clarify that DefaultJwtRetriever auto-delegates to
`ClientCredentialsJwtRetriever` for HTTP/HTTPS endpoints, so
`sasl.oauthbearer.jwt.retriever.class` does not need to be set
explicitly in most cases
- Update "Secure/Production Use" section to reference built-in JWT
retriever implementations
- Add security considerations for client assertion (replay protection
via JTI, short-lived assertions)

Reviewers: Kirk True <kirk@kirktrue.pro>, Manikumar Reddy <manikumar.reddy@gmail.com>
@omkreddy
Copy link
Copy Markdown
Contributor

omkreddy commented Mar 30, 2026

merged to trunk and 4.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kirktrue kirktrue kirktrue approved these changes

@omkreddy omkreddy omkreddy approved these changes

Assignees

No one assigned

Labels

docs small Small PRs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@prabhashkr @omkreddy @kirktrue