accessTokenIsJwt |
Configure whether the access token is treated as JWT. This must be set to false if the authorization server returns opaque tokens. Defaults to true .
|
boolean |
checkAccessTokenType |
Configure whether the access token type check is performed or not. This should be set to false if the authorization server does not include 'typ' claim in JWT token. Defaults to true .
|
boolean |
checkAudience |
Enable or disable audience checking. Audience checks identify the recipients of tokens. If audience checking is enabled, the OAuth Client ID also has to be configured using the clientId property. The Kafka broker will reject tokens that do not have its clientId in their aud (audience) claim.Default value is false .
|
boolean |
checkIssuer |
Enable or disable issuer checking. By default issuer is checked using the value configured by validIssuerUri . Default value is true .
|
boolean |
clientAudience |
The audience to use when making requests to the authorization server’s token endpoint. Used for inter-broker authentication and for configuring OAuth 2.0 over PLAIN using the clientId and secret method.
|
string |
clientId |
OAuth Client ID which the Kafka broker can use to authenticate against the authorization server and use the introspect endpoint URI.
|
string |
clientScope |
The scope to use when making requests to the authorization server’s token endpoint. Used for inter-broker authentication and for configuring OAuth 2.0 over PLAIN using the clientId and secret method.
|
string |
clientSecret |
Link to Kubernetes Secret containing the OAuth client secret which the Kafka broker can use to authenticate against the authorization server and use the introspect endpoint URI.
|
GenericSecretSource
|
connectTimeoutSeconds |
The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds.
|
integer |
customClaimCheck |
JsonPath filter query to be applied to the JWT token or to the response of the introspection endpoint for additional token validation. Not set by default.
|
string |
disableTlsHostnameVerification |
Enable or disable TLS hostname verification. Default value is false .
|
boolean |
enableECDSA |
The enableECDSA property has been deprecated. Enable or disable ECDSA support by installing BouncyCastle crypto provider. ECDSA support is always enabled. The BouncyCastle libraries are no longer packaged with Strimzi. Value is ignored.
|
boolean |
enableMetrics |
Enable or disable OAuth metrics. Default value is false .
|
boolean |
enableOauthBearer |
Enable or disable OAuth authentication over SASL_OAUTHBEARER. Default value is true .
|
boolean |
enablePlain |
Enable or disable OAuth authentication over SASL_PLAIN. There is no re-authentication support when this mechanism is used. Default value is false .
|
boolean |
failFast |
Enable or disable termination of Kafka broker processes due to potentially recoverable runtime errors during startup. Default value is true .
|
boolean |
fallbackUserNameClaim |
The fallback username claim to be used for the user id if the claim specified by userNameClaim is not present. This is useful when client_credentials authentication only results in the client id being provided in another claim. It only takes effect if userNameClaim is set.
|
string |
fallbackUserNamePrefix |
The prefix to use with the value of fallbackUserNameClaim to construct the user id. This only takes effect if fallbackUserNameClaim is true, and the value is present for the claim. Mapping usernames and client ids into the same user id space is useful in preventing name collisions.
|
string |
groupsClaim |
JsonPath query used to extract groups for the user during authentication. Extracted groups can be used by a custom authorizer. By default no groups are extracted.
|
string |
groupsClaimDelimiter |
A delimiter used to parse groups when they are extracted as a single String value rather than a JSON array. Default value is ',' (comma).
|
string |
httpRetries |
The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries.
|
integer |
httpRetryPauseMs |
The pause to take before retrying a failed HTTP request. If not set, the default is to not pause at all but to immediately repeat a request.
|
integer |
introspectionEndpointUri |
URI of the token introspection endpoint which can be used to validate opaque non-JWT tokens.
|
string |
jwksEndpointUri |
URI of the JWKS certificate endpoint, which can be used for local JWT validation.
|
string |
jwksExpirySeconds |
Configures how often are the JWKS certificates considered valid. The expiry interval has to be at least 60 seconds longer then the refresh interval specified in jwksRefreshSeconds . Defaults to 360 seconds.
|
integer |
jwksIgnoreKeyUse |
Flag to ignore the 'use' attribute of key declarations in a JWKS endpoint response. Default value is false .
|
boolean |
jwksMinRefreshPauseSeconds |
The minimum pause between two consecutive refreshes. When an unknown signing key is encountered the refresh is scheduled immediately, but will always wait for this minimum pause. Defaults to 1 second.
|
integer |
jwksRefreshSeconds |
Configures how often are the JWKS certificates refreshed. The refresh interval has to be at least 60 seconds shorter then the expiry interval specified in jwksExpirySeconds . Defaults to 300 seconds.
|
integer |
maxSecondsWithoutReauthentication |
Maximum number of seconds the authenticated session remains valid without re-authentication. This enables Apache Kafka re-authentication feature, and causes sessions to expire when the access token expires. If the access token expires before max time or if max time is reached, the client has to re-authenticate, otherwise the server will drop the connection. Not set by default - the authenticated session does not expire when the access token expires. This option only applies to SASL_OAUTHBEARER authentication mechanism (when enableOauthBearer is true ).
|
integer |
readTimeoutSeconds |
The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds.
|
integer |
tlsTrustedCertificates |
Trusted certificates for TLS connection to the OAuth server.
|
CertSecretSource array
|
tokenEndpointUri |
URI of the Token Endpoint to use with SASL_PLAIN mechanism when the client authenticates with clientId and a secret . If set, the client can authenticate over SASL_PLAIN by either setting username to clientId , and setting password to client secret , or by setting username to account username, and password to access token prefixed with $accessToken: . If this option is not set, the password is always interpreted as an access token (without a prefix), and username as the account username (a so called 'no-client-credentials' mode).
|
string |
type |
|
string |
userInfoEndpointUri |
URI of the User Info Endpoint to use as a fallback to obtaining the user id when the Introspection Endpoint does not return information that can be used for the user id.
|
string |
userNameClaim |
Name of the claim from the JWT authentication token, Introspection Endpoint response or User Info Endpoint response which will be used to extract the user id. Defaults to sub .
|
string |
validIssuerUri |
URI of the token issuer used for authentication.
|
string |
validTokenType |
Valid value for the token_type attribute returned by the Introspection Endpoint. No default value, and not checked by default.
|
string |