KIP-1139 — Add support for OAuth jwt-bearer grant type
Accepted Kafka 4.1 Security
Adds support for the OAuth 2.0 `urn:ietf:params:oauth:grant-type:jwt-bearer` grant type (RFC 7523) in Kafka clients alongside the existing `client_credentials` grant, allowing authentication via a signed JWT assertion instead of a plaintext secret. The `client_credentials` grant requires embedding plaintext secrets in client configuration, which many organizations and cloud providers prohibit for security compliance.
Details
| Author | Kirk True |
| Status | Accepted |
| Kafka Version | 4.1 |
| JIRA | KAFKA-18573 |
| Wiki | View on Apache Wiki |
| Created | 2025-02-07 |
| Last Modified | 2025-05-13 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.