confluent-kafka-go v1.1.0

OAUTHBEARER SASL authentication (KIP-255) by Ron Dagostini (@rondagostino) at StateStreet.
Offset commit metadata (@damour, #353)
Requires librdkafka v1.1.0 or later

Noteworthy librdkafka v1.1.0 changes

SASL OAUTHBEARER support (by @rondagostino at StateStreet)
In-memory SSL certificates (PEM, DER, PKCS#12) support (by @noahdav at Microsoft)
Pluggable broker SSL certificate verification callback (by @noahdav at Microsoft)
Use Windows Root/CA SSL Certificate Store (by @noahdav at Microsoft)
ssl.endpoint.identification.algorithm=https (off by default) to validate the broker hostname matches the certificate. Requires OpenSSL >= 1.0.2.
Improved GSSAPI/Kerberos ticket refresh

Windows SSL users will no longer need to specify a CA certificate file/directory (ssl.ca.location), librdkafka will load the CA certs by default from the Windows Root Certificate Store.
SSL peer (broker) certificate verification is now enabled by default (disable with enable.ssl.certificate.verification=false)
%{broker.name} is no longer supported in sasl.kerberos.kinit.cmd since kinit refresh is no longer executed per broker, but per client instance.

New configuration properties:

ssl.key.pem - client's private key as a string in PEM format
ssl.certificate.pem - client's public key as a string in PEM format
enable.ssl.certificate.verification - enable(default)/disable OpenSSL's builtin broker certificate verification.
enable.ssl.endpoint.identification.algorithm - to verify the broker's hostname with its certificate (disabled by default).
The private key data is now securely cleared from memory after last use.

SASL GSSAPI/Kerberos: Don't run kinit refresh for each broker, just per client instance.
SASL GSSAPI/Kerberos: Changed sasl.kerberos.kinit.cmd to first attempt ticket refresh, then acquire.
SASL: Proper locking on broker name acquisition.
Consumer: max.poll.interval.ms now correctly handles blocking poll calls, allowing a longer poll timeout than the max poll interval.