Add Support for certificate-based authentication in Kafka OIDC flow,

[MyMirelHub]

Describe the feature

Enhance the Kafka pub/sub component to support certificate-based authentication (e.g., private_key_jwt) for authType: oidc, addressing setups requiring both mTLS (with a trusted certificate) and a valid OAuth2 token.

Support token requests with:

• client_id: X.509 API Client.
• grant_type: "client_credentials".
• resourceID: Resource URI of the protected API.
• client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
• client_assertion: Signed Base64-encoded JWT using certificates.

Enable a new auth method to combine mTLS and OAuth2 (SASL) for managed Kafka setups supporting Kerberos and OAuth.

Release Note

RELEASE NOTE: ADD Support for certificate-based authentication in Kafka OIDC flow, including mTLS + OAuth2 combination.

[olitomlinson]

I'm not entirely sure that the underlying Kafka Go Client supports everything you've described.

• It does support SASL via KIP-255
• However I see no support for OIDC (which would have been introduced in KIP-768

[acroca]

@olitomlinson maybe I'm oversimplifying the solution, but wouldn't this be a matter of adding the certificates in the component configuration (instead of the secret, so either one or the other) and use those certificates in the TLS connection when we get a token?

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged (pinned, good first issue, help wanted or triaged/resolved) or other activity occurs. Thank you for your contributions.

[github-actions]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as pinned, good first issue, help wanted or triaged/resolved. Thank you for your contributions.

[acroca]

#4057 got merged and will be released in 1.17