From e97131591002b46f7dd6d74b63c758d38ba877be Mon Sep 17 00:00:00 2001 From: halo Date: Fri, 29 May 2026 17:17:53 +0900 Subject: [PATCH] Clarify OAuth issuer checking documentation Signed-off-by: halo --- documentation/modules/oauth/con-oauth-server-config.adoc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/documentation/modules/oauth/con-oauth-server-config.adoc b/documentation/modules/oauth/con-oauth-server-config.adoc index 2b591e7c14d..33d3b1e0ad6 100644 --- a/documentation/modules/oauth/con-oauth-server-config.adoc +++ b/documentation/modules/oauth/con-oauth-server-config.adoc @@ -49,6 +49,9 @@ To enable OAuth 2.0 token-based authentication on a Kafka listener, configure th All OAuth 2.0 validation settings (such as JWKS or token introspection) are provided through the JAAS configuration string inside the listener configuration. +If you disable issuer checking by setting `oauth.check.issuer="false"`, do not configure `oauth.valid.issuer.uri`. +When `oauth.valid.issuer.uri` is configured, the issuer is checked against that value. + === JWT validation example The following example shows a minimal listener configuration that validates JSON Web Tokens (JWTs) using a JWKS endpoint. @@ -149,4 +152,4 @@ To configure HTTP Bearer authentication, set one of the following properties: * `oauth.server.bearer.token` to specify the bearer token in clear text. NOTE: In production environments, avoid storing credentials or bearer tokens in clear text. -Use a secure mechanism to provide these values to the broker. \ No newline at end of file +Use a secure mechanism to provide these values to the broker.