OAUTH support for AdobeIMS

Author: amuraru

docs/oauth-configuration.md

@@ -0,0 +1,110 @@
+# OAuth Configuration Guide
+
+kminion supports OAUTHBEARER SASL mechanism with two flavors:
+
+1. **Generic OAuth** - Standard OAuth 2.0 client credentials flow
+2. **Adobe IMS OAuth** - Adobe Identity Management System integration
+
+## Generic OAuth Configuration
+
+For standard OAuth 2.0 providers, configure the following:
+
+```yaml
+kafka:
+  sasl:
+    enabled: true
+    mechanism: "OAUTHBEARER"
+    oauth:
+      # Leave type empty for generic OAuth
+      type: ""
+      tokenEndpoint: "https://your-oauth-provider.com/oauth/token"
+      clientId: "your-client-id"
+      clientSecret: "your-client-secret"
+      scope: "kafka"
+```
+
+### Environment Variables
+
+```bash
+KAFKA_SASL_ENABLED=true
+KAFKA_SASL_MECHANISM=OAUTHBEARER
+KAFKA_SASL_OAUTH_TYPE=""
+KAFKA_SASL_OAUTH_TOKENENDPOINT=https://your-oauth-provider.com/oauth/token
+KAFKA_SASL_OAUTH_CLIENTID=your-client-id
+KAFKA_SASL_OAUTH_CLIENTSECRET=your-client-secret
+KAFKA_SASL_OAUTH_SCOPE=kafka
+```
+
+## Adobe IMS OAuth Configuration
+
+For Adobe Identity Management System, configure the following:
+
+```yaml
+kafka:
+  sasl:
+    enabled: true
+    mechanism: "OAUTHBEARER"
+    oauth:
+      type: "AdobeIMS"
+      tokenEndpoint: "https://ims-na1.adobelogin.com"
+      clientId: "your-ims-client-id"
+      clientSecret: "your-ims-client-secret"
+      additional:
+        clientCode: "your-ims-code"
+```
+
+### Environment Variables
+
+```bash
+KAFKA_SASL_ENABLED=true
+KAFKA_SASL_MECHANISM=OAUTHBEARER
+KAFKA_SASL_OAUTH_TYPE=AdobeIMS
+KAFKA_SASL_OAUTH_TOKENENDPOINT=https://ims-na1.adobelogin.com
+KAFKA_SASL_OAUTH_CLIENTID=your-ims-client-id
+KAFKA_SASL_OAUTH_CLIENTSECRET=your-ims-client-secret
+KAFKA_SASL_OAUTH_ADDITIONAL_CLIENTCODE=your-ims-code
+```
+
+## How It Works
+
+### Generic OAuth Flow
+
+1. kminion uses the client credentials grant type
+2. Sends a POST request to the token endpoint with client ID and secret
+3. Receives an access token
+4. Uses the token for Kafka authentication
+
+### Adobe IMS Flow
+
+1. kminion uses the Adobe IMS Go SDK (`github.com/adobe/ims-go`)
+2. Creates an IMS client with the configured endpoint
+3. Requests a token using the IMS-specific authentication flow
+4. Uses the access token for Kafka authentication
+
+## Switching Between Providers
+
+The `type` field determines which OAuth provider to use:
+
+- **Empty or omitted**: Uses generic OAuth with `tokenEndpoint`, `clientId`, `clientSecret`, and `scope`
+- **"AdobeIMS"**: Uses Adobe IMS with `tokenEndpoint`, `clientId`, `clientSecret`, and `additional.clientCode`
+
+### Field Reuse
+
+Both generic OAuth and Adobe IMS share common fields:
+- `tokenEndpoint`: OAuth token endpoint URL (for Adobe IMS, this is the IMS endpoint)
+- `clientId`: OAuth client ID
+- `clientSecret`: OAuth client secret
+
+Provider-specific fields go in the `additional` block:
+- For Adobe IMS: `clientCode` (authorization code)
+
+## Validation
+
+- **Generic OAuth**: Validates that `tokenEndpoint`, `clientId`, and `clientSecret` are provided
+- **Adobe IMS**: Validation happens during client creation when connecting to Kafka
+
+## Dependencies
+
+- Generic OAuth: Built-in HTTP client
+- Adobe IMS: `github.com/adobe/ims-go` v0.16.1+
+

docs/reference-config.yaml

@@ -61,10 +61,20 @@ kafka:
       enableFast: true
     # OAUTHBEARER config properties
     oauth:
+      # Type of OAuth provider. Valid values: AdobeIMS (leave empty for generic OAuth)
+      type: ""
+      # OAuth token endpoint (used by both generic OAuth and provider-specific types like AdobeIMS)
       tokenEndpoint: ""
+      # Client ID (used by both generic OAuth and provider-specific types)
       clientId: ""
+      # Client secret (used by both generic OAuth and provider-specific types)
       clientSecret: ""
+      # Scope for generic OAuth (not used by AdobeIMS)
       scope: ""
+      # Additional provider-specific configuration
+      # For AdobeIMS: clientCode is required
+      additional:
+        clientCode: ""
 
 minion:
   consumerGroups:

examples/oauth-config-examples.yaml

@@ -0,0 +1,87 @@
+# Example configurations for OAuth authentication with Kafka
+
+# Example 1: Generic OAuth (e.g., Keycloak, Okta, Auth0)
+---
+kafka:
+  brokers:
+    - kafka-broker-1:9092
+    - kafka-broker-2:9092
+  clientId: "kminion"
+  
+  sasl:
+    enabled: true
+    mechanism: "OAUTHBEARER"
+    oauth:
+      # Leave type empty for generic OAuth
+      type: ""
+      tokenEndpoint: "https://your-oauth-provider.com/oauth/token"
+      clientId: "your-kafka-client-id"
+      clientSecret: "your-kafka-client-secret"
+      scope: "kafka"
+
+# Example 2: Adobe IMS OAuth
+---
+kafka:
+  brokers:
+    - kafka-broker-1:9092
+    - kafka-broker-2:9092
+  clientId: "kminion"
+
+  sasl:
+    enabled: true
+    mechanism: "OAUTHBEARER"
+    oauth:
+      type: "AdobeIMS"
+      tokenEndpoint: "https://ims-na1.adobelogin.com"
+      clientId: "your-ims-client-id"
+      clientSecret: "your-ims-client-secret"
+      additional:
+        clientCode: "your-ims-authorization-code"
+
+# Example 3: Generic OAuth with TLS
+---
+kafka:
+  brokers:
+    - kafka-broker-1:9093
+    - kafka-broker-2:9093
+  clientId: "kminion"
+  
+  tls:
+    enabled: true
+    caFilepath: "/path/to/ca-cert.pem"
+    certFilepath: "/path/to/client-cert.pem"
+    keyFilepath: "/path/to/client-key.pem"
+  
+  sasl:
+    enabled: true
+    mechanism: "OAUTHBEARER"
+    oauth:
+      type: ""
+      tokenEndpoint: "https://your-oauth-provider.com/oauth/token"
+      clientId: "your-kafka-client-id"
+      clientSecret: "your-kafka-client-secret"
+      scope: "kafka"
+
+# Example 4: Adobe IMS OAuth with TLS
+---
+kafka:
+  brokers:
+    - kafka-broker-1:9093
+    - kafka-broker-2:9093
+  clientId: "kminion"
+
+  tls:
+    enabled: true
+    caFilepath: "/path/to/ca-cert.pem"
+
+  sasl:
+    enabled: true
+    mechanism: "OAUTHBEARER"
+    oauth:
+      type: "AdobeIMS"
+      tokenEndpoint: "https://ims-na1.adobelogin.com"
+      clientId: "your-ims-client-id"
+      clientSecret: "your-ims-client-secret"
+      additional:
+        clientCode: "your-ims-authorization-code"
+

go.mod

@@ -22,7 +22,10 @@ require (
 	golang.org/x/sync v0.17.0
 )
 
+require github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
+
 require (
+	github.com/adobe/ims-go v0.16.1
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect

go.sum

@@ -1,6 +1,8 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/adobe/ims-go v0.16.1 h1:n1gYlfAV9djx9+r9VGU8I49G8fnIrIsZvX1s/XJVD3w=
+github.com/adobe/ims-go v0.16.1/go.mod h1:nsvzRhDFespyZnnLxQlsfBmlfGzqcy/zuS2HGebDHMI=
 github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
@@ -63,6 +65,8 @@ github.com/go-test/deep v1.0.2-0.20181118220953-042da051cf31/go.mod h1:wGDj63lr6
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
+github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=

kafka/client_config_helper.go

@@ -119,15 +119,30 @@ func NewKgoConfig(cfg Config, logger *zap.Logger) ([]kgo.Opt, error) {
 		}
 
 		// OAuthBearer
-		if cfg.SASL.Mechanism == "OAUTHBEARER" {
-			mechanism := oauth.Oauth(func(ctx context.Context) (oauth.Auth, error) {
-				token, err := cfg.SASL.OAuthBearer.getToken(ctx)
-				return oauth.Auth{
-					Zid:   cfg.SASL.OAuthBearer.ClientID,
-					Token: token,
-				}, err
-			})
-			opts = append(opts, kgo.SASL(mechanism))
+		if cfg.SASL.Mechanism == SASLMechanismOAuthBearer {
+			switch cfg.SASL.OAuthBearer.Type {
+			case OAuthBearerTypeAdobeIMS:
+				bearer, err := NewAdobeImsOAuthBearer(
+					cfg.SASL.OAuthBearer.ClientID,
+					cfg.SASL.OAuthBearer.ClientSecret,
+					cfg.SASL.OAuthBearer.Additional.ClientCode,
+					cfg.SASL.OAuthBearer.TokenEndpoint,
+				)
+				if err != nil {
+					return nil, fmt.Errorf("failed to create Adobe IMS OAuth bearer: %w", err)
+				}
+				opts = append(opts, bearer.Opt())
+			default:
+				// Generic OAuth
+				mechanism := oauth.Oauth(func(ctx context.Context) (oauth.Auth, error) {
+					token, err := cfg.SASL.OAuthBearer.getToken(ctx)
+					return oauth.Auth{
+						Zid:   cfg.SASL.OAuthBearer.ClientID,
+						Token: token,
+					}, err
+				})
+				opts = append(opts, kgo.SASL(mechanism))
+			}
 		}
 	}
 

kafka/config_sasl_oauthbearer.go

@@ -10,21 +10,25 @@ import (
 	"strings"
 )
 
+// OAuthBearerConfig represents the OAUTHBEARER SASL config with support for different providers
 type OAuthBearerConfig struct {
+	// Type of OAuth provider. Valid values: "AdobeIMS" (leave empty for generic OAuth)
+	Type OAuthBearerType `koanf:"type"`
+
+	// Generic OAuth configuration (used when Type is empty)
 	TokenEndpoint string `koanf:"tokenEndpoint"`
 	ClientID      string `koanf:"clientId"`
 	ClientSecret  string `koanf:"clientSecret"`
 	Scope         string `koanf:"scope"`
+
+	// Additional provider-specific configuration
+	Additional OAuthAdditionalConfig `koanf:"additional"`
 }
 
-func (c *OAuthBearerConfig) Validate() error {
-	if c.TokenEndpoint == "" {
-		return fmt.Errorf("OAuthBearer token endpoint is not specified")
-	}
-	if c.ClientID == "" || c.ClientSecret == "" {
-		return fmt.Errorf("OAuthBearer client credentials are not specified")
-	}
-	return nil
+// OAuthAdditionalConfig holds provider-specific OAuth configuration
+type OAuthAdditionalConfig struct {
+	// Adobe IMS specific fields (used when Type is "AdobeIMS")
+	ClientCode string `koanf:"clientCode"`
 }
 
 // same as AcquireToken in Console https://github.com/redpanda-data/console/blob/master/backend/pkg/config/kafka_sasl_oauth.go#L56
@@ -73,3 +77,37 @@ func (c *OAuthBearerConfig) getToken(ctx context.Context) (string, error) {
 
 	return accessToken, nil
 }
+
+// Validate validates the OAuthBearerConfig
+func (c *OAuthBearerConfig) Validate() error {
+	// Common validation for all OAuth types
+	if c.TokenEndpoint == "" {
+		return fmt.Errorf("OAuthBearer token endpoint is not specified")
+	}
+	if c.ClientID == "" || c.ClientSecret == "" {
+		return fmt.Errorf("OAuthBearer client credentials are not specified")
+	}
+
+	// Type-specific validation
+	switch c.Type {
+	case OAuthBearerTypeAdobeIMS:
+		// Adobe IMS specific validation
+		if c.Additional.ClientCode == "" {
+			return fmt.Errorf("OAuthBearer Adobe IMS client code is not specified")
+		}
+	case "":
+		// Generic OAuth - no additional validation needed
+	default:
+		return fmt.Errorf("unknown OAuthBearer type '%s'", c.Type)
+	}
+
+	return nil
+}
+
+// OAuthBearerType represents the type of OAuth provider
+type OAuthBearerType string
+
+const (
+	// OAuthBearerTypeAdobeIMS represents Adobe IMS OAuth provider
+	OAuthBearerTypeAdobeIMS OAuthBearerType = "AdobeIMS"
+)