Kafka Configs Kafka Protocol Wire Format API Versions KIPs Errors Kafka Upgrade Config Advisor Flink SQL
conduktor.io ↗
KIPs / KIP-1258

KIP-1258 — Add Support for OAuth Client Assertion to client_credentials Grant Type

Accepted Security

Adds support for OAuth 2.0 client assertion (JWT Bearer, per RFC 7521/7523) as an authentication method for the client_credentials grant in Kafka's OAUTHBEARER SASL implementation. The current implementation only supports client_secret via HTTP Basic authentication (KIP-768), which requires sharing a long-lived secret—a security liability in zero-trust, short-lived-credential environments.

Details

AuthorPrabhash Kumar
StatusAccepted
JIRAKAFKA-18608
WikiView on Apache Wiki
Created2025-12-17
Last Modified2026-03-05
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.