Implementation of OAUTHBEARER/OIDC metadata based authentication

.gitignore

@@ -20,6 +20,7 @@ SOURCES
 gmon.out
 *.gz
 *.tgz
+!tests/trivup/trivup*.tar.gz
 *.bz2
 *.deb
 *.rpm

CHANGELOG.md

@@ -2,6 +2,8 @@
 
 librdkafka v2.12.0 is a feature release:
 
+* Support for OAUTHBEARER metadata based authentication types,
+  starting with Azure IMDS. [Introduction available](INTRODUCTION.md#oauthbearer-oidc-metadata-authentication) (#5155).
 * Fix compression types read issue in GetTelemetrySubscriptions response
   for big-endian architectures (#5183, @paravoid).
 * Fix for KIP-1102 time based re-bootstrap condition (#5177).

CONFIGURATION.md

@@ -121,6 +121,7 @@ sasl.oauthbearer.assertion.claim.jti.include |  *  | true, false     |         f
 sasl.oauthbearer.assertion.claim.nbf.seconds |  *  | 0 .. 2147483647 |            60 | low        | Assertion not before time in seconds. Only used when `sasl.oauthbearer.method` is set to "oidc" and JWT assertion is needed. <br>*Type: integer*
 sasl.oauthbearer.assertion.claim.sub     |  *  |                 |               | low        | JWT subject claim. Only used when `sasl.oauthbearer.method` is set to "oidc" and JWT assertion is needed. <br>*Type: string*
 sasl.oauthbearer.assertion.jwt.template.file |  *  |                 |               | low        | Path to the JWT template file. Only used when `sasl.oauthbearer.method` is set to "oidc" and JWT assertion is needed. <br>*Type: string*
+sasl.oauthbearer.metadata.authentication.type |  *  | none, azure_imds |          none | low        | Type of metadata-based authentication to use for OAUTHBEARER/OIDC `azure_imds` authenticates using the Azure IMDS endpoint. Sets a default value for `sasl.oauthbearer.token.endpoint.url` if missing. Configuration values specific of chosen authentication type can be passed through `sasl.oauthbearer.config`. <br>*Type: enum value*
 plugin.library.paths                     |  *  |                 |               | low        | List of plugin libraries to load (; separated). The library search path is platform dependent (see dlopen(3) for Unix and LoadLibrary() for Windows). If no filename extension is specified the platform-specific extension (such as .dll or .so) will be appended automatically. <br>*Type: string*
 interceptors                             |  *  |                 |               | low        | Interceptors added through rd_kafka_conf_interceptor_add_..() and any configuration handled by interceptors. <br>*Type: see dedicated API*
 group.id                                 |  C  |                 |               | high       | Client group id string. All clients sharing the same group.id belong to the same group. <br>*Type: string*

INTRODUCTION.md

@@ -1232,6 +1232,44 @@ either through the template or with the `claim` properties.
   it's possible to dynamically customize the JWT claims with these or to
   skip the template file and use only these properties.
 
+<a name="oauthbearer-oidc-metadata-authentication"></a>
+##### Metadata based authentication
+
+Some cloud providers added the ability to authenticate clients based on
+OAUTHBEARER/OIDC tokens returned from endpoints that can only be called from
+a given instance. Such endpoints are served on a specific IP address (169.254.169.254)
+that is a link-local metadata endpoint.
+
+
+While there is no standard for that still, librdkafka has support for
+some metadata based OAUTHBEARER authentication types.
+
+
+Currently these authentication types are supported:
+
+###### Azure IMDS
+
+To use this method you set:
+
+* `sasl.oauthbearer.metadata.authentication.type=azure_imds` this makes it so 
+   that ` sasl.oauthbearer.client.id` and `sasl.oauthbearer.client.secret` 
+   aren't required.
+* `sasl.oauthbearer.config` is a general purpose configuration property
+  In this case it accepts comma-separated `key=value` pairs.
+  The `query` key is required in case `sasl.oauthbearer.token.endpoint.url` isn't
+  specified and its value is the GET query string to append
+  to the token endpoint URL. Such query string contains params required by
+  Azure IMDS such as `client_id` (the UAMI), `resource` for determining the
+  target audience and `api-version` for the API version to be used by the endpoint
+* `sasl.oauthbearer.token.endpoint.url` (optional) is set automatically.
+  when choosing `sasl.oauthbearer.metadata.authentication.type=azure_imds` but can
+  be customized.
+
+
+_Example:_  `sasl.oauthbearer.metadata.authentication.type=azure_imds` and
+`sasl.oauthbearer.config=params=api-version=2025-04-07&resource=api://<App registration client id>&client_id=<UAMI client id>`
+
+
 <a name="sparse-connections"></a>
 #### Sparse connections