Skip to content

Lab: Enabling OAuth2

Open your personal Keycloak realm console via this URL, replacing {YOUR_REALM} with your personal realm name:

https://keycloak.sebastian.spielwiese.k8s.workshop.thinkport.cloud/admin/{YOUR_REALM}/console

Lab Exercise: Add an OAuth2 Listener

Hint

Use the template workspace/exercises/setup_security/setup_oauth/cluster-1.kafka.yaml.template to implement this iteration of your cluster definition.

Solution

Add the following listener to your cluster definition, replacing 2 occurrences of YOUR_REALM_NAME with the name of your personal Keycloak realm. 

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
# ...
spec:
  kafka:
    listeners:
      # <existing listeners>
      - name: oauth
        port: 9095
        type: internal
        tls: true
        authentication:
          type: oauth
          validIssuerUri: https://keycloak.keycloak/realms/YOUR_REALM_NAME
          jwksEndpointUri: https://keycloak.keycloak/realms/YOUR_REALM_NAME/protocol/openid-connect/certs
          userNameClaim: preferred_username
          maxSecondsWithoutReauthentication: 3600
          tlsTrustedCertificates:
            - secretName: cluster-1-tls-managed
              certificate: ca.crt
          enableMetrics: true
        configuration:
          brokerCertChainAndKey:
            secretName: cluster-1-tls-managed
            certificate: tls.crt
            key: tls.key

Lab Exercise: Create a Client in Keycloak

Create a client in your Keycloak realm called oauth-client-01:

  • Enable client authentication
  • Enable service accounts roles
  • Disable all other auth flows
  • Do not configure a PKCE method
  • Do not configure a root or home URL
Screenshots

Step 1:

Step 2:

Lab Exercise: Configuring Broker & Clients with OAuth2

Step 1: Add Client to SuperUsers

Your Keycloak client was provisioned with an accompanying Keycloak user (Service Account), which will define the username Kafka extracts from the token to verify the client’s permissions. Add this username to the list of superUsers in your cluster definition.

Hint: Username

The user created for your client will be called service-account-oauth-client-01:

Solution

Add the username to the list of superUsers: 

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
# ...
spec:
  kafka:
    # ...
    authorization:
      type: simple
      superUsers:
        - client-01 # unrelated, keep to not disable previous SCRAM auth
        - service-account-oauth-client-01

Step 2: Create Client Config

Warning

It is recommended to copy your previous definition of your ConfigMap for this exercise. You may also use the template workspace/exercises/setup_security/setup_oauth/cluster-1_client-cfg.configmap.yaml.template to implement this iteration of your client configuration ConfigMap definition, but keep in mind to replace 2x REPLACE_ME as well as 2x MY_NAMESPACE of the previous properties definition with the passwords of the corresponding KafkaUsers to not override your previous configurations.

Add a new client configuration based on the configuration client-tls-scram-client01.properties to your ConfigMap, using TCP port of the OAuth listener 9095. Also implement the following changes, using the Strimzi documentation:

  • Set the SASL mechanism to OAUTHBEARER
  • Set the JAAS config to org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required ;
  • Add the SASL login callback handler class to io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
  • Add the OAuth2 client ID and secret
  • Add your Keycloak realm token endpoint
  • Add your Keycloak realm as valid issuer URI
  • Set the username claim to preferred_username
Solution

Add the following value to your client configuration ConfigMap, replacing:

  • 1 occurrence of MY_NAMESPACE with the name of your namespace
  • 1 occurrence of YOUR_CLIENT_SECRET with the client secret of your Keycloak client
  • 2 occurrence of YOUR_REALM with the name of your personal Keycloak realm
client-tls-oauth-client01.properties: |
    bootstrap.servers=cluster-1-kafka-bootstrap.MY_NAMESPACE:9095

    security.protocol=SASL_SSL
    sasl.mechanism=OAUTHBEARER
    sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required ;
    sasl.login.callback.handler.class=io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
    oauth.client.id=oauth-client-01
    oauth.client.secret=YOUR_CLIENT_SECRET
    oauth.token.endpoint.uri=https://keycloak.keycloak/realms/YOUR_REALM/protocol/openid-connect/token
    oauth.valid.issuer.uri=https://keycloak.keycloak/realms/YOUR_REALM
    oauth.username.claim=preferred_username

    ssl.truststore.location=/run/secrets/ca/truststore.jks
    ssl.truststore.type=JKS
    javax.net.ssl.trustStore=/run/secrets/ca/truststore.jks
    javax.net.ssl.trustStorePassword=changeit
    ssl.truststore.password=changeit
    parse.key=true
    key.separator=:

Step 3: Testing your Configuration

Use the new properties file of your ConfigMap to either publish some messages to topic-0 or the otc-admin command to describe the topic.

Testing your KafkaUser: (method: otc-admin)

Executing this command should print the name and ID of the topic test-0. 

$ otc-admin -c /config/cluster-1/client-tls-oauth-client01.properties get topic/test-0

Testing your KafkaUser: (method: kafka-console-producer)

Replace MY_NAMESPACE with your personal namespace. 

$ kafka-console-producer \
    --bootstrap-server cluster-1-kafka-bootstrap.MY_NAMESPACE:9095 \
    --producer.config /config/cluster-1/client-tls-oauth-client01.properties \
    --topic test-0 < /opt/samples/messages_glados_still_alive.txt