OAUTH support for AdobeIMS

Author: amuraru

docs/oauth-configuration.md

@@ -0,0 +1,156 @@
+# OAuth Configuration Guide
+
+kminion supports OAUTHBEARER SASL mechanism with two flavors:
+
+1. **Generic OAuth** - Standard OAuth 2.0 client credentials flow
+2. **Adobe IMS OAuth** - Adobe Identity Management System integration
+
+## Generic OAuth Configuration
+
+For standard OAuth 2.0 providers, configure the following:
+
+```yaml
+kafka:
+  sasl:
+    enabled: true
+    mechanism: "OAUTHBEARER"
+    oauth:
+      # Leave type empty for generic OAuth
+      type: ""
+      tokenEndpoint: "https://your-oauth-provider.com/oauth/token"
+      clientId: "your-client-id"
+      clientSecret: "your-client-secret"
+      scope: "kafka"
+```
+
+### Environment Variables
+
+```bash
+KAFKA_SASL_ENABLED=true
+KAFKA_SASL_MECHANISM=OAUTHBEARER
+KAFKA_SASL_OAUTH_TYPE=""
+KAFKA_SASL_OAUTH_TOKENENDPOINT=https://your-oauth-provider.com/oauth/token
+KAFKA_SASL_OAUTH_CLIENTID=your-client-id
+KAFKA_SASL_OAUTH_CLIENTSECRET=your-client-secret
+KAFKA_SASL_OAUTH_SCOPE=kafka
+```
+
+## Adobe IMS OAuth Configuration
+
+For Adobe Identity Management System, configure the following:
+
+```yaml
+kafka:
+  sasl:
+    enabled: true
+    mechanism: "OAUTHBEARER"
+    oauth:
+      type: "AdobeIMS"
+      tokenEndpoint: "https://ims-na1.adobelogin.com"
+      clientId: "your-ims-client-id"
+      clientSecret: "your-ims-client-secret"
+      additional:
+        clientCode: "your-ims-code"
+```
+
+### Environment Variables
+
+```bash
+KAFKA_SASL_ENABLED=true
+KAFKA_SASL_MECHANISM=OAUTHBEARER
+KAFKA_SASL_OAUTH_TYPE=AdobeIMS
+KAFKA_SASL_OAUTH_TOKENENDPOINT=https://ims-na1.adobelogin.com
+KAFKA_SASL_OAUTH_CLIENTID=your-ims-client-id
+KAFKA_SASL_OAUTH_CLIENTSECRET=your-ims-client-secret
+KAFKA_SASL_OAUTH_ADDITIONAL_CLIENTCODE=your-ims-code
+```
+
+## How It Works
+
+### Generic OAuth Flow
+
+1. kminion uses the client credentials grant type
+2. Sends a POST request to the token endpoint with client ID and secret
+3. Receives an access token
+4. Uses the token for Kafka authentication
+
+### Adobe IMS Flow
+
+1. kminion uses the Adobe IMS Go SDK (`github.com/adobe/ims-go`)
+2. Creates an IMS client with the configured endpoint
+3. Requests a token using the IMS-specific authentication flow
+4. Stores both the access token and refresh token
+5. Uses the access token for Kafka authentication
+6. **Automatically refreshes the token** when it expires in less than 15 minutes
+7. Updates the refresh token if a new one is provided during refresh
+
+## Switching Between Providers
+
+The `type` field determines which OAuth provider to use:
+
+- **Empty or omitted**: Uses generic OAuth with `tokenEndpoint`, `clientId`, `clientSecret`, and `scope`
+- **"AdobeIMS"**: Uses Adobe IMS with `tokenEndpoint`, `clientId`, `clientSecret`, and `additional.clientCode`
+
+### Field Reuse
+
+Both generic OAuth and Adobe IMS share common fields:
+- `tokenEndpoint`: OAuth token endpoint URL (for Adobe IMS, this is the IMS endpoint)
+- `clientId`: OAuth client ID
+- `clientSecret`: OAuth client secret
+
+Provider-specific fields go in the `additional` block:
+- For Adobe IMS: `clientCode` (authorization code)
+
+## Validation
+
+- **Generic OAuth**: Validates that `tokenEndpoint`, `clientId`, and `clientSecret` are provided
+- **Adobe IMS**: Validation happens during client creation when connecting to Kafka
+
+## Token Refresh Behavior
+
+### Generic OAuth
+
+Generic OAuth fetches a new token on every authentication request using the client credentials flow. This is simple but may result in more frequent token requests to the OAuth provider.
+
+### Adobe IMS
+
+Adobe IMS implements intelligent token refresh with resilient error handling:
+
+- **Initial Token**: Obtained during startup using the authorization code with retry logic
+- **Refresh Token**: Stored securely and used for token renewal
+- **Automatic Refresh**: Tokens are automatically refreshed when they expire in less than 15 minutes
+- **Thread-Safe**: Token refresh is protected by mutex to prevent race conditions in concurrent environments
+- **Long-Running Support**: Designed for long-running Kafka clients that need to maintain connections for extended periods
+- **Retry Logic**: Automatic retry with exponential backoff for transient network errors
+
+The 15-minute refresh threshold ensures that:
+- Tokens are refreshed proactively before expiration
+- There's sufficient time to complete the refresh operation
+- Kafka connections remain authenticated without interruption
+
+### Error Resilience
+
+Adobe IMS token operations (both initial fetch and refresh) include automatic retry logic for transient errors:
+
+**Retryable Errors:**
+- Network timeouts (connection timeout, i/o timeout)
+- DNS resolution failures (temporary errors, timeouts)
+- Connection refused errors (service not ready)
+- Connection reset errors (connection dropped)
+- Network dial errors (can't establish connection)
+- Closed network connection errors
+- IMS HTTP errors (408, 429, 500, 502, 503, 504)
+
+**Retry Strategy:**
+- Maximum 3 retry attempts
+- Exponential backoff: 1s, 2s, 4s, 8s, 16s (capped at 30s)
+- Non-retryable errors (e.g., invalid credentials) fail immediately
+- Context cancellation is respected during retry backoff
+
+This ensures that temporary network issues or IMS service hiccups don't cause permanent authentication failures.
+
+## Dependencies
+
+- Generic OAuth: Built-in HTTP client
+- Adobe IMS: `github.com/adobe/ims-go` v0.19.1+
+

docs/reference-config.yaml

@@ -61,10 +61,20 @@ kafka:
       enableFast: true
     # OAUTHBEARER config properties
     oauth:
+      # Type of OAuth provider. Valid values: AdobeIMS (leave empty for generic OAuth)
+      type: ""
+      # OAuth token endpoint (used by both generic OAuth and provider-specific types like AdobeIMS)
       tokenEndpoint: ""
+      # Client ID (used by both generic OAuth and provider-specific types)
       clientId: ""
+      # Client secret (used by both generic OAuth and provider-specific types)
       clientSecret: ""
+      # Scope for generic OAuth (not used by AdobeIMS)
       scope: ""
+      # Additional provider-specific configuration
+      # For AdobeIMS: clientCode is required
+      additional:
+        clientCode: ""
 
 minion:
   consumerGroups:

examples/oauth-config-examples.yaml

@@ -0,0 +1,87 @@
+# Example configurations for OAuth authentication with Kafka
+
+# Example 1: Generic OAuth (e.g., Keycloak, Okta, Auth0)
+---
+kafka:
+  brokers:
+    - kafka-broker-1:9092
+    - kafka-broker-2:9092
+  clientId: "kminion"
+  
+  sasl:
+    enabled: true
+    mechanism: "OAUTHBEARER"
+    oauth:
+      # Leave type empty for generic OAuth
+      type: ""
+      tokenEndpoint: "https://your-oauth-provider.com/oauth/token"
+      clientId: "your-kafka-client-id"
+      clientSecret: "your-kafka-client-secret"
+      scope: "kafka"
+
+# Example 2: Adobe IMS OAuth
+---
+kafka:
+  brokers:
+    - kafka-broker-1:9092
+    - kafka-broker-2:9092
+  clientId: "kminion"
+
+  sasl:
+    enabled: true
+    mechanism: "OAUTHBEARER"
+    oauth:
+      type: "AdobeIMS"
+      tokenEndpoint: "https://ims-na1.adobelogin.com"
+      clientId: "your-ims-client-id"
+      clientSecret: "your-ims-client-secret"
+      additional:
+        clientCode: "your-ims-authorization-code"
+
+# Example 3: Generic OAuth with TLS
+---
+kafka:
+  brokers:
+    - kafka-broker-1:9093
+    - kafka-broker-2:9093
+  clientId: "kminion"
+  
+  tls:
+    enabled: true
+    caFilepath: "/path/to/ca-cert.pem"
+    certFilepath: "/path/to/client-cert.pem"
+    keyFilepath: "/path/to/client-key.pem"
+  
+  sasl:
+    enabled: true
+    mechanism: "OAUTHBEARER"
+    oauth:
+      type: ""
+      tokenEndpoint: "https://your-oauth-provider.com/oauth/token"
+      clientId: "your-kafka-client-id"
+      clientSecret: "your-kafka-client-secret"
+      scope: "kafka"
+
+# Example 4: Adobe IMS OAuth with TLS
+---
+kafka:
+  brokers:
+    - kafka-broker-1:9093
+    - kafka-broker-2:9093
+  clientId: "kminion"
+
+  tls:
+    enabled: true
+    caFilepath: "/path/to/ca-cert.pem"
+
+  sasl:
+    enabled: true
+    mechanism: "OAUTHBEARER"
+    oauth:
+      type: "AdobeIMS"
+      tokenEndpoint: "https://ims-na1.adobelogin.com"
+      clientId: "your-ims-client-id"
+      clientSecret: "your-ims-client-secret"
+      additional:
+        clientCode: "your-ims-authorization-code"
+

go.mod

@@ -3,6 +3,7 @@ module github.com/cloudhut/kminion/v2
 go 1.25
 
 require (
+	github.com/adobe/ims-go v0.19.1
 	github.com/google/uuid v1.6.0
 	github.com/jcmturner/gokrb5/v8 v8.4.4
 	github.com/jellydator/ttlcache/v2 v2.11.1
@@ -14,7 +15,7 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/twmb/franz-go v1.19.5
 	github.com/twmb/franz-go/pkg/kadm v1.16.1
-	github.com/twmb/franz-go/pkg/kmsg v1.11.2
+	github.com/twmb/franz-go/pkg/kmsg v1.12.0
 	github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0
 	go.uber.org/atomic v1.11.0
 	go.uber.org/automaxprocs v1.6.0
@@ -27,6 +28,7 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/jcmturner/aescts/v2 v2.0.0 // indirect
 	github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect
@@ -44,9 +46,9 @@ require (
 	github.com/prometheus/procfs v0.16.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/crypto v0.42.0 // indirect
-	golang.org/x/net v0.44.0 // indirect
-	golang.org/x/sys v0.36.0 // indirect
+	golang.org/x/crypto v0.43.0 // indirect
+	golang.org/x/net v0.46.0 // indirect
+	golang.org/x/sys v0.37.0 // indirect
 	google.golang.org/protobuf v1.36.8 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -1,6 +1,8 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/adobe/ims-go v0.19.1 h1:K2/cgCkM/MZO7Nvv+yYjrQKpT6Tuyw1sMUxsUxU7BB4=
+github.com/adobe/ims-go v0.19.1/go.mod h1:cOGPuM+RrWjl9DAo3Z/fU/OOHt+PGpLHwYgidu0dpGQ=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -63,6 +65,8 @@ github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr6
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@@ -298,8 +302,8 @@ github.com/twmb/franz-go v1.19.5/go.mod h1:4kFJ5tmbbl7asgwAGVuyG1ZMx0NNpYk7Eqflv
 github.com/twmb/franz-go/pkg/kadm v1.16.1 h1:IEkrhTljgLHJ0/hT/InhXGjPdmWfFvxp7o/MR7vJ8cw=
 github.com/twmb/franz-go/pkg/kadm v1.16.1/go.mod h1:Ue/ye1cc9ipsQFg7udFbbGiFNzQMqiH73fGC2y0rwyc=
 github.com/twmb/franz-go/pkg/kmsg v1.2.0/go.mod h1:SxG/xJKhgPu25SamAq0rrucfp7lbzCpEXOC+vH/ELrY=
-github.com/twmb/franz-go/pkg/kmsg v1.11.2 h1:hIw75FpwcAjgeyfIGFqivAvwC5uNIOWRGvQgZhH4mhg=
-github.com/twmb/franz-go/pkg/kmsg v1.11.2/go.mod h1:CFfkkLysDNmukPYhGzuUcDtf46gQSqCZHMW1T4Z+wDE=
+github.com/twmb/franz-go/pkg/kmsg v1.12.0 h1:CbatD7ers1KzDNgJqPbKOq0Bz/WLBdsTH75wgzeVaPc=
+github.com/twmb/franz-go/pkg/kmsg v1.12.0/go.mod h1:+DPt4NC8RmI6hqb8G09+3giKObE6uD2Eya6CfqBpeJY=
 github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0 h1:alKdbddkPw3rDh+AwmUEwh6HNYgTvDSFIe/GWYRR9RM=
 github.com/twmb/franz-go/pkg/sasl/kerberos v1.1.0/go.mod h1:k8BoBjyUbFj34f0rRbn+Ky12sZFAPbmShrg0karAIMo=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -334,8 +338,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220817201139-bc19a97f63c8/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
+golang.org/x/crypto v0.43.0 h1:dduJYIi3A3KOfdGOHX8AVZ/jGiyPa3IbBozJ5kNuE04=
+golang.org/x/crypto v0.43.0/go.mod h1:BFbav4mRNlXJL4wNeejLpWxB7wMbc79PdRGhWKncxR0=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -372,8 +376,8 @@ golang.org/x/net v0.0.0-20220725212005-46097bf591d3/go.mod h1:AaygXjzTFtRAg2ttMY
 golang.org/x/net v0.0.0-20220812174116-3211cb980234/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.44.0 h1:evd8IRDyfNBMBTTY5XRF1vaZlD+EmWx6x8PkhR04H/I=
-golang.org/x/net v0.44.0/go.mod h1:ECOoLqd5U3Lhyeyo/QDCEVQ4sNgYsqvCZ722XogGieY=
+golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4=
+golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -425,8 +429,8 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ=
+golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=