Authenticate to Confluent Cloud using OAuth/OIDC with Auth0 as Identity Provider

Overview

Confluent Cloud supports OAuth 2.0 / OpenID Connect (OIDC) to enable secure, token-based authentication for workloads—ideal for applications and services. Learn more. To authenticate to Confluent Cloud using OAuth/OIDC with Auth0 as your Identity Provider (IdP), follow the procedure described below.

  1. Configure Auth0 as an OIDC Provider.
    1. Create an Application in Auth0:
      1. Log in to your Auth0 dashboard
      2. Navigate to Applications and click Create Application.
      3. Specify a Name for the application.
      4. Select Machine to Machine (M2M) Applications.
        Machine to Machine (M2M)

      5. Add the required Permissions, and click Authorize.
        OAuth0 Permissions

    2. In the application settings, note the Client ID and Client Secret.
      Confluent Cloud App
    3. Click Settings to define a default audience in the API Authorizations Settings section. Set this to https://dev-bkbwr0ycpbpxxiv5.us.auth0.com/api/v2/. You can get this URI from the API tab in the application.
      API Authorization settings
      Note:

      The Identifier will serve as the Audience in your token requests.

  2. Add Auth0 as an Identity Provider in Confluent Cloud
    1. Log into Confluent Cloud Console.
    2. Navigate to Settings > Accounts & Access > Workload Identities
      Workload Identities

    3. Click Add identity providers.
    4. Select OAuth/OIDC and click Next.
      OAuth/OIDC

    5. Select Other OIDC identity provider.
      Other OIDC identity provider

    6. Provide a meaningful Name and Description.
    7. Enter the OIDC Discovery URL obtained from Auth0.
    8. Click Import from OIDC Discovery URL to auto-fill the JWKS URI and Issuer URI. The OIDC Discovery URL typically follows the format: <https://<your-domain>>.auth0.com/.well-known/openid-configuration.
      OIDC Discovery URL

    9. Click Validate and save to add the identity provider.
      Add Identity Provider

  3. Create an Identity Pool in Confluent Cloud
    1. In the Confluent Cloud Console, go to Settings > Accounts & Access > Workload Identities.
    2. Click Add identity pool.
      • Provide a Name and Description.
      • Select the previously added Auth0 identity provider.
    3. Configure Filters (Optional) based on token claims to automatically assign identities to this pool.
    4. Click Add new permissions.
      Add new permissions
    5. Assign appropriate RBAC roles to the identity pool to control access.
      New Role Assignment
    6. Click Save to create the identity pool.
      New Identity Pool
    7. Record Cluster and Pool ID's. These will be defined in the Kafka Snap via SASL extension properties.
      Auth0 IdP


      Cluster Settings
    8. Assign appropriate RBAC roles to the identity pool to control access.
    9. Click Save to create the identity pool.
    10. Record Cluster and Pool ID's. These will be defined in the Kafka Snap via SASL extension properties.

Failure: JWT_PROCESSING_FAILED Error

This can be caused by various issues, such as a mismatch between the Issuer URI entered in Confluent Cloud and the URI in the JWT token. Another potential reason that can cause this error is the expiry of the JWKS keys.

Ensure that the Issuer URI and URI in the JWT token both match exactly. Refresh the keys in Confluent Cloud.

Configure Kafka OAuth2 Account
  1. Configure the following settings with the values obtained from the configuration in the Confluent Cloud console:
    1. <your-bootstrap-server>: Confluent Cloud Kafka bootstrap server URL.
    2. <your-domain>: Auth0 domain.
    3. <your-client-id> and <your-client-secret>: Obtained from Auth0 application settings.
    4. <your-cluster-id>: Confluent Cloud cluster ID.
    5. <your-identity-pool-id>: The ID of the identity pool created in Confluent Cloud.

    Edit Account


    Kafka Properties

  2. Validate the account. The account should be validated successfully.
    Kafka Properties