How to deploy a listener with Oauth authentiication

[barryzhounb]

In OpenShift, I have installed keycloak as Oauth server, now I am configuring Stimizi Kafka cluster. I had some experiences in how to deploy a SSL authentication as following, it worked well.

spec:
  kafka:
    authorization:
      type: simple
    replicas: 3
    listeners:
      - name: external
        authentication:
          type: SSL
        port: 9094
        tls: true
        type: route

Now I am going to replace SSL with Oauth.

I refer to https://strimzi.io/blog/2019/10/25/kafka-authentication-using-oauth-2.0/, it looks like:

    listeners:
      plain: {}
      tls:
        authentication:
          type: oauth
          clientId: kafka-broker
          clientSecret:
            key: secret
            secretName: broker-oauth-secret
          validIssuerUri: https://keycloak.keycloak:8443/auth/realms/master
          jwksEndpointUri: https://keycloak.keycloak:8443/auth/realms/master/protocol/openid-connect/certs
          userNameClaim: preferred_username
          tlsTrustedCertificates:
          - secretName: ca-truststore
            certificate: ca.crt

but I refer to https://strimzi.io/docs/operators/latest/using.html, it looks a little difference.

    authorization:
      type: keycloak (1)
      tokenEndpointUri: <https://<auth-server-address>/auth/realms/external/protocol/openid-connect/token> (2)
      clientId: kafka (3)
      delegateToKafkaAcls: false (4)
      disableTlsHostnameVerification: false (5)
      superUsers: (6)
      - CN=fred
      - sam
      - CN=edward
      tlsTrustedCertificates: (7)
      - secretName: oauth-server-cert
        certificate: ca.crt
      grantsRefreshPeriodSeconds: 60 (8)
      grantsRefreshPoolSize: 5 (9)

So I get confused and not sure how to deploy a listener with Oauth.

Now, I have prepared the following information for deploying Oauth listener.

Step 1: I have created a kafka-broker client id and get its secret. Then I create a secret broker-oauth-secret.

export BROKER_SECRET=89360bac-7aa0-4fbd-9277-8a1c198815a2
oc create secret generic broker-oauth-secret -n barry-kafka --from-literal=secret=$BROKER_SECRET

Step2: This is URLs for Keycloak accessing.
Keycloak: https://keycloak-barry-test.apps.aaaa-1.cp.fyre.ibm.com/auth
Keycloak Admin Console: https://keycloak-barry-test.apps.aaaa-1.cp.fyre.ibm.com/auth/admin
Keycloak Account Console: https://keycloak-barry-test.apps.aaaa-1.cp.fyre.ibm.com/auth/realms/myrealm/account

Then I want to refactor the following with above info

spec:
  kafka:
    authorization:
      type: simple
    replicas: 3
    listeners:
      - name: external
        authentication:
          type: SSL
        port: 9094
        tls: true
        type: route

I got stuck and not sure how to deploy it. Please give some guidance how to deploy listener with Oauth, an example is appreciated.

[scholzj]

You have to distinguish two different things which in Kafka are separate - authentication & authorization. In the first config you got from the blog post (apart from the old listeners format which you should not use), the authentication section configures the authentication using OAuth. The second example configures authorization using Keycloak (this is not OAuth authorization but relies on some Keycloak specific APIs). In general, both are configuring something different and both look correct to me. You just need to decide what exactly is it you want to use and then update the configuration for match your Keycloak (URLs etc.).

[scholzj]

These are Keycloak URLs. Not sure what exactly the first one does. The second provides the JWKS signing keys used to sign the tokens. They should IMHO follow the same structure with your Keycloak so you just need to update the base URL.

[barryzhounb]

Thanks @scholzj , let me try it.

[barryzhounb]

Hello @scholzj I continue to work on Oauth authentication. the above defines

          tlsTrustedCertificates:
          - secretName: ca-truststore
            certificate: ca.crt

Following the posted blog, seem that in kafka side, it needs to add Keycloak's truststore (ca.crt), Keycloak setup its own certificates (including root ca). But for my case, I have installed Keycloak via Keycloak operator, I think Keycloak operator should setup certificates for Keycloak. Do you have any idea how to get Keycloak's ca.crt?

[scholzj]

This is the public certificate for the HTTPS interface of Keycloak. But I'm afraid I have no idea where exactly it is.

[barryzhounb]

Okay, no worry. Let me google it