Implementation of OAUTHBEARER/OIDC metadata based authentication #5155
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
🎉 All Contributor License Agreements have been signed. Ready to merge. |
There was a problem hiding this comment.
Pull Request Overview
This PR implements OAUTHBEARER/OIDC metadata-based authentication, initially supporting the Azure UAMI (User Assigned Managed Identity) method for token retrieval.
- Adds Azure UAMI metadata authentication support for OAUTHBEARER/OIDC
- Refactors HTTP client to support custom headers and retry logic
- Introduces configuration parameter for metadata authentication type
Reviewed Changes
Copilot reviewed 13 out of 16 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| src/rdkafka_sasl_oauthbearer_oidc.c | Implements Azure metadata token refresh callback with HTTP calls to Azure UAMI endpoint |
| src/rdkafka_sasl_oauthbearer_oidc.h | Declares the new Azure metadata token refresh callback function |
| src/rdkafka_conf.h | Adds metadata authentication type enum and configuration structure |
| src/rdkafka_conf.c | Adds configuration property and refactors OIDC validation logic into separate functions |
| src/rdkafka_sasl_oauthbearer.c | Simplifies builtin token refresh callback detection logic |
| src/rdkafka.c | Integrates Azure metadata authentication into the OIDC token refresh mechanism |
| src/rdhttp.h | Updates HTTP client interface to support headers, timeouts, and retries |
| src/rdhttp.c | Enhances HTTP client with parameter appending, custom headers, and retry functionality |
| CONFIGURATION.md | Documents the new metadata authentication type configuration parameter |
| tests/0126-oauthbearer_oidc.c | Removes duplicate configuration line in test |
airlock-confluentinc
bot
force-pushed
the
dev_oauthbearer_metadata_based
branch
4 times, most recently
from
e1c95a8 to
45f2a29
Compare
airlock-confluentinc
bot
force-pushed
the
dev_oauthbearer_metadata_based
branch
from
45f2a29 to
26d990a
Compare
milindl
reviewed
Sep 17, 2025
Contributor
milindl
left a comment
milindl
left a comment
There was a problem hiding this comment.
some minor comments, one not-so-minor comment, thanks for making the PR
src/rdkafka_sasl_oauthbearer_oidc.c
Outdated
| * @brief Implementation of Oauth/OIDC token refresh callback function | ||
| * for Azure IMDS, | ||
| * will receive the JSON response after HTTP(S) GET call to token | ||
| * provider, then extract the jwt from the JSON response, and forward it to the |
INTRODUCTION.md
Outdated
|
|
||
| ###### Azure IMDS | ||
|
|
||
| to use this method you set: |
Contributor
There was a problem hiding this comment.
Suggested change
| to use this method you set: | |
| To use this method you set: |
INTRODUCTION.md
Outdated
Comment on lines
1254
to
1255
| * `sasl.oauthbearer.metadata.authentication.type=azure_imds` this make that ` sasl.oauthbearer.client.id` | ||
| and `sasl.oauthbearer.client.secret` aren't required |
Contributor
There was a problem hiding this comment.
Suggested change
| * `sasl.oauthbearer.metadata.authentication.type=azure_imds` this make that ` sasl.oauthbearer.client.id` | |
| and `sasl.oauthbearer.client.secret` aren't required | |
| * `sasl.oauthbearer.metadata.authentication.type=azure_imds` this makes it so that ` sasl.oauthbearer.client.id` | |
| and `sasl.oauthbearer.client.secret` aren't required. |
INTRODUCTION.md
Outdated
Comment on lines
1256
to
1257
| * `sasl.oauthbearer.config` is a general purpose configuration property | ||
| In this case it's accepts comma-separated `key=value` pairs. |
Contributor
There was a problem hiding this comment.
Suggested change
| * `sasl.oauthbearer.config` is a general purpose configuration property | |
| In this case it's accepts comma-separated `key=value` pairs. | |
| * `sasl.oauthbearer.config` is a general purpose configuration property. | |
| In this case its accepts comma-separated `key=value` pairs. |
INTRODUCTION.md
Outdated
Comment on lines
1258
to
1264
| The `params` key is required and its value is the GET query string to append | ||
| to the token endpoint URL. Such query string contains params required by | ||
| Azure IMDS such as `client_id` (the UAMI), `resource` for determining the | ||
| target audience and `api-version` for the API version to be used by the endpoint | ||
| * `sasl.oauthbearer.token.endpoint.url` (optional) is set automatically | ||
| when chosing `sasl.oauthbearer.metadata.authentication.type=azure_imds` but can | ||
| be customized |
Contributor
There was a problem hiding this comment.
Suggested change
| The `params` key is required and its value is the GET query string to append | |
| to the token endpoint URL. Such query string contains params required by | |
| Azure IMDS such as `client_id` (the UAMI), `resource` for determining the | |
| target audience and `api-version` for the API version to be used by the endpoint | |
| * `sasl.oauthbearer.token.endpoint.url` (optional) is set automatically | |
| when chosing `sasl.oauthbearer.metadata.authentication.type=azure_imds` but can | |
| be customized | |
| The `params` key is required and its value is the GET query string to append | |
| to the token endpoint URL. Such a query string contains params required by | |
| Azure IMDS, such as `client_id` (the UAMI), `resource` for determining the | |
| target audience and `api-version` for the API version to be used by the endpoint. | |
| * `sasl.oauthbearer.token.endpoint.url` (optional) is set automatically | |
| when choosing `sasl.oauthbearer.metadata.authentication.type=azure_imds` but can | |
| be customized. |
| * | ||
| * @returns A newly allocated string with the appended parameters. | ||
| */ | ||
| char *rd_http_get_params_append(const char *url, const char *params) { |
Contributor
There was a problem hiding this comment.
rather than rolling our url builder, is it okay to use curl instead? that way well tested code is used, for example:
CURLUcode rc = curl_url_set(h, CURLUPART_URL,
"https://example.com:449/foo/bar#abc", 0);
rc = curl_url_set(h, CURLUPART_QUERY, "param1=N",
CURLU_APPENDQUERY | CURLU_URLENCODE); // can choose to urlencode or not
rc = curl_url_set(h, CURLUPART_QUERY, "param2=3",
CURLU_APPENDQUERY | CURLU_URLENCODE);
rc = curl_url_set(h, CURLUPART_FRAGMENT, NULL, 0); // remove hash fragment
char *url;
rc = curl_url_get(h, CURLUPART_URL, &url, 0);
printf("%s\n", url);
Contributor
Author
|
trviup PR is here |
…tially supporting the Azure UAMI method.
based authentications
…ntity with IMDS that is the authentication service
function and enums
…" as in other implementations and to make it optional if the default endpoint is overridden.
airlock-confluentinc
bot
force-pushed
the
dev_oauthbearer_metadata_based
branch
from
a7e64d8 to
7d356de
Compare
milindl
approved these changes
Sep 26, 2025
Contributor
milindl
left a comment
milindl
left a comment
There was a problem hiding this comment.
Thanks for addressing the comments
airlock-confluentinc bot
pushed a commit
that referenced
this pull request
Nov 26, 2025
* Implementation of OAUTHBEARER/OIDC metadata based authentication, initially supporting the Azure UAMI method. * Tests with trivup 0.14.0 supporting metadata based authentications * Add documentation and changelog entry * Rename `azure` value to `azure_imds` and replace UAMI that is the identity with IMDS that is the authentication service * Extract authentication URL and rename internal function and enums * Changes to name the configuration property "query" instead of "params" as in other implementations and to make it optional if the default endpoint is overridden.
airlock-confluentinc bot
pushed a commit
that referenced
this pull request
Nov 26, 2025
* Implementation of OAUTHBEARER/OIDC metadata based authentication, initially supporting the Azure UAMI method. * Tests with trivup 0.14.0 supporting metadata based authentications * Add documentation and changelog entry * Rename `azure` value to `azure_imds` and replace UAMI that is the identity with IMDS that is the authentication service * Extract authentication URL and rename internal function and enums * Changes to name the configuration property "query" instead of "params" as in other implementations and to make it optional if the default endpoint is overridden.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
initially supporting the Azure UAMI method.