Context
As a Gateway administrator, you might require your applications to log to Gateway using OAuthBearer. If you decide to use Azure AD for that, this article is made to help you.
In the documentation linked above, you can see that you have to add a few more settings to your Gateway:
GATEWAY_OAUTH_JWKS_URL: <OIDC_PROVIDER_JWKS_URL> # To verify the token
GATEWAY_OAUTH_EXPECTED_ISSUER: <OIDC_ISSUER> # To issue the token
GATEWAY_OAUTH_EXPECTED_AUDIENCES: "[<AUDIENCES>]" # Who can attempt to connect
And then, the application setup can look like the following:
sasl.mechanism=OAUTHBEARER
security.protocol=SASL_PLAINTEXT
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
sasl.oauthbearer.token.endpoint.url=<OIDC_TOKEN_ENDPOINT>
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required clientId="<CLIENT_ID>" clientSecret="<CLIENT_SECRET>" scope="<SCOPE>";
Using the v1.0 of Azure's API
Azure setup
You only need to create an app registration that will be used as a client. This application shouldn't have any callback URI, but you should create credentials.
If you're using the v1.0 of Azure's API, you can find your .well-known at:
https://login.microsoftonline.com/<TENANT_ID>/.well-known/openid-configuration
By going to this URL on the internet, you'll retrieve everything you need.
Gateway setup
GATEWAY_OAUTH_JWKS_URL: https://login.microsoftonline.com/common/discovery/keys
GATEWAY_OAUTH_EXPECTED_ISSUER: https://sts.windows.net/<TENANT_ID>/
GATEWAY_OAUTH_EXPECTED_AUDIENCES: "[<AUDIENCES>]"
The audience will be told to you when you'll run Gateway for the first time with this configuration. You'll get something like:
Could not validate the access token: JWT <TOKEN_DETAILS> rejected due to invalid claims or other invalid content. Additional details: [[8] Audience (aud) claim [00000002-0000-0000-c000-000000000000] present in the JWT but no expected audience value(s) were provided to the JWT Consumer. Expected one of [] as an aud value.]
In order to finish your configuration, you can set this in your Gateway (according to what the log above told you), and deploy it again:
GATEWAY_OAUTH_EXPECTED_AUDIENCES: "[00000002-0000-0000-c000-000000000000]"
Client setup
sasl.mechanism=OAUTHBEARER
security.protocol=SASL_PLAINTEXT
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
sasl.oauthbearer.token.endpoint.url=https://login.microsoftonline.com/<TENANT_ID>/oauth2/token
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required clientId="<CLIENT_ID>" clientSecret="<CLIENT_SECRET>" scope=".default";
Using the v2.0 of Azure's API
If you're using the v2.0 of Azure's API, things will get a bit harder.
Indeed, the .well-known using v2.0 will give you an issuer in v2.0, but your applications will generate tokens using the v1.0, so there will be a mismatch between the issuer expected (v2.0), and the one used for the token (v1.0). If you try, you'll hit the following error:
Could not validate the access token: JWT rejected due to invalid signature.
In order to enforce your applications to use the v2.0, you'll have to create an application "gateway" that will be used as the scope for the clients.
Azure setup
You can create a classic application in the App Registration section of Azure AD, and then go in the Manifest section. Here, you must set the following, to enforce the use of v2.0:
"accessTokenAcceptedVersion": 2
On top of this, you must go in the Expose an API section, and add an Application ID URI. You can use the one suggested, that will look like api://<RANDOM_UID>
.
There is no need to create credentials for this application. However, the Application ID URI will be used as scope to authenticate the other client applications, and the random UID from the "gateway" app will be the audience.
Now that the setup is done on Azure's side, you can use the following link as .well-known to retrieve the important information:
https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration
Gateway setup
GATEWAY_OAUTH_JWKS_URL: https://login.microsoftonline.com/<TENANT_ID>/discovery/v2.0/keys
GATEWAY_OAUTH_EXPECTED_ISSUER: https://login.microsoftonline.com/<TENANT_ID>/v2.0
GATEWAY_OAUTH_EXPECTED_AUDIENCES: "[<RANDOM_UID>]"
Client setup
sasl.mechanism=OAUTHBEARER
security.protocol=SASL_PLAINTEXT
sasl.login.callback.handler.class=org.apache.kafka.common.security.oauthbearer.secured.OAuthBearerLoginCallbackHandler
sasl.oauthbearer.token.endpoint.url=https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token
sasl.jaas.config=org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required clientId="<CLIENT_ID>" clientSecret="<CLIENT_SECRET>" scope="api://<RANDOM_UID>/.default";
Comments
0 comments
Please sign in to leave a comment.