sasl.oauthbearer.jwks.endpoint.url — Kafka Broker Configuration
The OAuth/OIDC provider URL from which the provider's JWKS (JSON Web Key Set) can be retrieved. The URL can be HTTP(S)-based or file-based.
Description
The OAuth/OIDC provider URL from which the provider's JWKS (JSON Web Key Set) can be retrieved. The URL can be HTTP(S)-based or file-based. If the URL is HTTP(S)-based, the JWKS data will be retrieved from the OAuth/OIDC provider via the configured URL on broker startup. All then-current keys will be cached on the broker for incoming requests. If an authentication request is received for a JWT that includes a "kid" header claim value that isn't yet in the cache, the JWKS endpoint will be queried again on demand. However, the broker polls the URL every sasl.oauthbearer.jwks.endpoint.refresh.ms milliseconds to refresh the cache with any forthcoming keys before any JWT requests that include them are received. If the URL is file-based, the broker will load the JWKS file from a configured location on startup. In the event that the JWT includes a "kid" header value that isn't in the JWKS file, the broker will reject the JWT and authentication will fail.
Default Values by Kafka Version
| Kafka Version | Default Value |
|---|---|
| 3.1 | null |
| 3.2 | null |
| 3.3 | null |
| 3.4 | null |
| 3.5 | null |
| 3.6 | null |
| 3.7 | null |
| 3.8 | null |
| 3.9 | null |
| 4.0 | null |
| 4.1 | null |
| 4.2 | null |