Is OAuth Authentication with Service Accounts Supported in Strimzi Kafka?

[AnjanaAK]

I’m exploring the possibility of implementing OAuth-based authentication in Strimzi Kafka using Kubernetes service accounts (SA). Specifically, I would like to authenticate Kafka clients using JWT tokens issued by Kubernetes service accounts, and validate these tokens against the Kubernetes JWKS endpoint.

Key Questions:

• Is it possible to configure Strimzi Kafka to authenticate using OAuth with Kubernetes service accounts?
• Can Strimzi Kafka validate service account JWT tokens via the Kubernetes JWKS endpoint as part of an OAuth authentication flow?

Use Case:
I am aiming to authenticate Kafka clients based on JWT tokens issued to Kubernetes service accounts. The goal is for Kafka to use these tokens for client authentication, with validation being handled through the Kubernetes OAuth/JWKS mechanism.

Context:
Strimzi Version: v0.45.0
Kubernetes Version: v1.28.4

I tried something like this in kafka spec:

    listeners:
      - name: oauth
        port: 9094
        type: internal
        tls: true
        authentication:
          type: oauth
          validIssuerUri: https://kubernetes.default.svc
          jwksEndpointUri: https://kubernetes.default.svc/openid/v1/jwks
          userNameClaim: sub
          tlsTrustedCertificates:
            - secretName: k8s-api-ca
              certificate: ca.crt
          disableTlsHostnameVerification: true

But the request to the Kubernetes JWKS endpoint (https://kubernetes.default.svc/openid/v1/jwks) was rejected with a 403 Forbidden error due to authentication issues. The error message indicated that the request was being made by an unauthorized user (system:anonymous), as Kubernetes service account tokens were not properly authorized for accessing the endpoint.

2025-05-07 03:19:44,187 ERROR Exiting Kafka due to fatal exception during startup. (kafka.Kafka$) [main]
org.apache.kafka.common.KafkaException: io.strimzi.kafka.oauth.services.ServiceException: Failed to fetch public keys needed to validate JWT signatures: https://kubernetes.default.svc/openid/v1/jwks
	at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:187)
	at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:193)
	at org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:108)
	at kafka.network.Processor.<init>(SocketServer.scala:976)
	at kafka.network.Acceptor.newProcessor(SocketServer.scala:881)
	at kafka.network.Acceptor.$anonfun$addProcessors$1(SocketServer.scala:851)
	at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:190)
	at kafka.network.Acceptor.addProcessors(SocketServer.scala:850)
	at kafka.network.DataPlaneAcceptor.configure(SocketServer.scala:524)
	at kafka.network.SocketServer.createDataPlaneAcceptorAndProcessors(SocketServer.scala:252)
	at kafka.network.SocketServer.$anonfun$new$31(SocketServer.scala:176)
	at kafka.network.SocketServer.$anonfun$new$31$adapted(SocketServer.scala:176)
	at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:619)
	at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:617)
	at scala.collection.AbstractIterable.foreach(Iterable.scala:935)
	at kafka.network.SocketServer.<init>(SocketServer.scala:176)
	at kafka.server.BrokerServer.startup(BrokerServer.scala:252)
	at kafka.server.KafkaRaftServer.$anonfun$startup$2(KafkaRaftServer.scala:99)
	at kafka.server.KafkaRaftServer.$anonfun$startup$2$adapted(KafkaRaftServer.scala:99)
	at scala.Option.foreach(Option.scala:437)
	at kafka.server.KafkaRaftServer.startup(KafkaRaftServer.scala:99)
	at kafka.Kafka$.main(Kafka.scala:112)
	at kafka.Kafka.main(Kafka.scala)
Caused by: io.strimzi.kafka.oauth.services.ServiceException: Failed to fetch public keys needed to validate JWT signatures: https://kubernetes.default.svc/openid/v1/jwks
	at io.strimzi.kafka.oauth.validator.JWTSignatureValidator.fetchKeys(JWTSignatureValidator.java:418)
	at io.strimzi.kafka.oauth.validator.JWTSignatureValidator.setupExecutorAndFetchInitialKeys(JWTSignatureValidator.java:281)
	at io.strimzi.kafka.oauth.validator.JWTSignatureValidator.<init>(JWTSignatureValidator.java:198)
	at io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler.lambda$setupJWKSValidator$1(JaasServerOauthValidatorCallbackHandler.java:498)
	at io.strimzi.kafka.oauth.services.Validators.get(Validators.java:45)
	at io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler.setupJWKSValidator(JaasServerOauthValidatorCallbackHandler.java:524)
	at io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler.delegatedConfigure(JaasServerOauthValidatorCallbackHandler.java:310)
	at io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler.configure(JaasServerOauthValidatorCallbackHandler.java:238)
	at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:154)
	... 22 more
Caused by: io.strimzi.kafka.oauth.common.HttpException: GET request to https://kubernetes.default.svc/openid/v1/jwks failed with status 403: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"forbidden: User \"system:anonymous\" cannot get path \"/openid/v1/jwks\"","reason":"Forbidden","details":{},"code":403}

	at io.strimzi.kafka.oauth.common.HttpUtil.handleResponse(HttpUtil.java:535)
	at io.strimzi.kafka.oauth.common.HttpUtil.request(HttpUtil.java:492)
	at io.strimzi.kafka.oauth.common.HttpUtil.get(HttpUtil.java:196)
	at io.strimzi.kafka.oauth.validator.JWTSignatureValidator.fetchKeys(JWTSignatureValidator.java:385)
	... 30 more

If you allow that with some role bindings, getting :

2025-05-07 03:58:16,863 ERROR [BrokerServer id=0] Fatal error during broker startup. Prepare to shutdown (kafka.server.BrokerServer) [main]
org.apache.kafka.common.KafkaException: io.strimzi.kafka.oauth.services.ServiceException: Failed to fetch public keys needed to validate JWT signatures: https://kubernetes.default.svc/openid/v1/jwks
	at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:187)
	at org.apache.kafka.common.network.ChannelBuilders.create(ChannelBuilders.java:193)
	at org.apache.kafka.common.network.ChannelBuilders.serverChannelBuilder(ChannelBuilders.java:108)
	at kafka.network.Processor.<init>(SocketServer.scala:976)
	at kafka.network.Acceptor.newProcessor(SocketServer.scala:881)
	at kafka.network.Acceptor.$anonfun$addProcessors$1(SocketServer.scala:851)
	at scala.collection.immutable.Range.foreach$mVc$sp(Range.scala:190)
	at kafka.network.Acceptor.addProcessors(SocketServer.scala:850)
	at kafka.network.DataPlaneAcceptor.configure(SocketServer.scala:524)
	at kafka.network.SocketServer.createDataPlaneAcceptorAndProcessors(SocketServer.scala:252)
	at kafka.network.SocketServer.$anonfun$new$31(SocketServer.scala:176)
	at kafka.network.SocketServer.$anonfun$new$31$adapted(SocketServer.scala:176)
	at scala.collection.IterableOnceOps.foreach(IterableOnce.scala:619)
	at scala.collection.IterableOnceOps.foreach$(IterableOnce.scala:617)
	at scala.collection.AbstractIterable.foreach(Iterable.scala:935)
	at kafka.network.SocketServer.<init>(SocketServer.scala:176)
	at kafka.server.BrokerServer.startup(BrokerServer.scala:252)
	at kafka.server.KafkaRaftServer.$anonfun$startup$2(KafkaRaftServer.scala:99)
	at kafka.server.KafkaRaftServer.$anonfun$startup$2$adapted(KafkaRaftServer.scala:99)
	at scala.Option.foreach(Option.scala:437)
	at kafka.server.KafkaRaftServer.startup(KafkaRaftServer.scala:99)
	at kafka.Kafka$.main(Kafka.scala:112)
	at kafka.Kafka.main(Kafka.scala)
Caused by: io.strimzi.kafka.oauth.services.ServiceException: Failed to fetch public keys needed to validate JWT signatures: https://kubernetes.default.svc/openid/v1/jwks
	at io.strimzi.kafka.oauth.validator.JWTSignatureValidator.fetchKeys(JWTSignatureValidator.java:418)
	at io.strimzi.kafka.oauth.validator.JWTSignatureValidator.setupExecutorAndFetchInitialKeys(JWTSignatureValidator.java:281)
	at io.strimzi.kafka.oauth.validator.JWTSignatureValidator.<init>(JWTSignatureValidator.java:198)
	at io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler.lambda$setupJWKSValidator$1(JaasServerOauthValidatorCallbackHandler.java:498)
	at io.strimzi.kafka.oauth.services.Validators.get(Validators.java:45)
	at io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler.setupJWKSValidator(JaasServerOauthValidatorCallbackHandler.java:524)
	at io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler.delegatedConfigure(JaasServerOauthValidatorCallbackHandler.java:310)
	at io.strimzi.kafka.oauth.server.JaasServerOauthValidatorCallbackHandler.configure(JaasServerOauthValidatorCallbackHandler.java:238)
	at org.apache.kafka.common.network.SaslChannelBuilder.configure(SaslChannelBuilder.java:154)
	... 22 more
Caused by: io.strimzi.kafka.oauth.common.HttpException: GET request to https://kubernetes.default.svc/openid/v1/jwks failed with status 406: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"406: Not Acceptable\n\nAvailable representations: application/jwk-set+json","reason":"NotAcceptable","details":{},"code":406}

	at io.strimzi.kafka.oauth.common.HttpUtil.handleResponse(HttpUtil.java:535)
	at io.strimzi.kafka.oauth.common.HttpUtil.request(HttpUtil.java:492)
	at io.strimzi.kafka.oauth.common.HttpUtil.get(HttpUtil.java:196)
	at io.strimzi.kafka.oauth.validator.JWTSignatureValidator.fetchKeys(JWTSignatureValidator.java:385)
	... 30 more	

If this feature is not currently supported, are there any recommended workarounds or alternative approaches to achieve this functionality in Strimzi?

[ppatierno]

You should find more info about it in the doc here https://strimzi.io/docs/operators/latest/deploying#assembly-oauth-security-str where there is a section dedicated to the usage of Kubernetes service account. @mstruk maybe you can help more here?

[scholzj]

You shoud also check the issues where there are several issues covering missing features to the SA authentication.

[mstruk]

There is a concrete example of how to configure it: https://strimzi.io/docs/operators/latest/deploying#:~:text=Configuring%20fast%20local%20JWT%20token%20validation%20with%20Kubernetes%20service%20accounts

[AnjanaAK]

There is a concrete example of how to configure it: https://strimzi.io/docs/operators/latest/deploying#:~:text=Configuring%20fast%20local%20JWT%20token%20validation%20with%20Kubernetes%20service%20accounts

@mstruk Thank you for that reference.

How can I configure the authorization in this case (specific service accounts should be able to access only specific topics)?

I found an issue related to KafkaUser not supporting this now: #10353