Change to align with KIP

Author: anchitj

CONFIGURATION.md

@@ -100,17 +100,21 @@ enable.sasl.oauthbearer.unsecure.jwt     |  *  | true, false     |         false
 oauthbearer_token_refresh_cb             |  *  |                 |               | low        | SASL/OAUTHBEARER token refresh callback (set with rd_kafka_conf_set_oauthbearer_token_refresh_cb(), triggered by rd_kafka_poll(), et.al. This callback will be triggered when it is time to refresh the client's OAUTHBEARER token. Also see `rd_kafka_conf_enable_sasl_queue()`. <br>*Type: see dedicated API*
 sasl.oauthbearer.method                  |  *  | default, oidc   |       default | low        | Set to "default" or "oidc" to control which login method to be used. If set to "oidc", the following properties must also be be specified: `sasl.oauthbearer.client.id`, `sasl.oauthbearer.client.secret`, and `sasl.oauthbearer.token.endpoint.url`. <br>*Type: enum value*
 sasl.oauthbearer.client.id               |  *  |                 |               | low        | Public identifier for the application. Must be unique across all clients that the authorization server handles. Only used when `sasl.oauthbearer.method` is set to "oidc". <br>*Type: string*
+sasl.oauthbearer.client.credentials.client.id |  *  |                 |               | low        | Alias for `sasl.oauthbearer.client.id`: Public identifier for the application. Must be unique across all clients that the authorization server handles. Only used when `sasl.oauthbearer.method` is set to "oidc". <br>*Type: string*
+sasl.oauthbearer.client.credentials.client.secret |  *  |                 |               | low        | Alias for `sasl.oauthbearer.client.secret`: Client secret only known to the application and the authorization server. This should be a sufficiently random string that is not guessable. Only used when `sasl.oauthbearer.method` is set to "oidc". <br>*Type: string*
 sasl.oauthbearer.client.secret           |  *  |                 |               | low        | Client secret only known to the application and the authorization server. This should be a sufficiently random string that is not guessable. Only used when `sasl.oauthbearer.method` is set to "oidc". <br>*Type: string*
+sasl.oauthbearer.grant.type              |  *  | oidc, urn:ietf:params:oauth:grant-type:jwt-bearer |          oidc | low        | OAuth grant type to use when communicating with the identity provider. <br>*Type: enum value*
+sasl.oauthbearer.assertion.private.key.file |  *  |                 |               | low        | Path to client's private key (PEM) used for authentication. <br>*Type: string*
+sasl.oauthbearer.assertion.private.key.passphrase |  *  |                 |               | low        | Private key passphrase (for use with `ssl.key.location` and `set_ssl_cert()`) <br>*Type: string*
+sasl.oauthbearer.assertion.private.key.pem |  *  |                 |               | low        | Private key passphrase (for use with `ssl.key.location` and `set_ssl_cert()`) <br>*Type: string*
+sasl.oauthbearer.assertion.file          |  *  |                 |               | low        | Path to the assertion file. Only used when `sasl.oauthbearer.method` is set to "oidc" and JWT grant type is needed. <br>*Type: string*
+sasl.oauthbearer.assertion.expiration    |  *  | 0 .. 0          |             0 | low        | Assertion expiration time in seconds. Only used when `sasl.oauthbearer.method` is set to "oidc" and JWT grant type is needed. <br>*Type: integer*
+sasl.oauthbearer.assertion.notbefore     |  *  | 0 .. 0          |             0 | low        | Assertion not before time in seconds. Only used when `sasl.oauthbearer.method` is set to "oidc" and JWT grant type is needed. <br>*Type: integer*
+sasl.oauthbearer.assertion.jwt.template.file |  *  |                 |               | low        | Path to the JWT template file. Only used when `sasl.oauthbearer.method` is set to "oidc" and JWT grant type is needed. <br>*Type: string*
 sasl.oauthbearer.scope                   |  *  |                 |               | low        | Client use this to specify the scope of the access request to the broker. Only used when `sasl.oauthbearer.method` is set to "oidc". <br>*Type: string*
 sasl.oauthbearer.extensions              |  *  |                 |               | low        | Allow additional information to be provided to the broker. Comma-separated list of key=value pairs. E.g., "supportFeatureX=true,organizationId=sales-emea".Only used when `sasl.oauthbearer.method` is set to "oidc". <br>*Type: string*
 sasl.oauthbearer.token.endpoint.url      |  *  |                 |               | low        | OAuth/OIDC issuer token endpoint HTTP(S) URI used to retrieve token. Only used when `sasl.oauthbearer.method` is set to "oidc". <br>*Type: string*
-sasl.oauthbearer.private.key.id          |  *  |                 |               | low        | Private key id. Only used when `sasl.oauthbearer.method` is set to "jwt". <br>*Type: string*
-sasl.oauthbearer.private.key.secret      |  *  |                 |               | low        | Private key id. Only used when `sasl.oauthbearer.method` is set to "jwt". <br>*Type: string*
-sasl.oauthbearer.token.signing.algorithm |  *  |                 |               | low        | token_signing_algorithm. Only used when `sasl.oauthbearer.method` is set to "jwt". <br>*Type: string*
-sasl.oauthbearer.token.subject           |  *  |                 |               | low        | token_signing_algorithm. Only used when `sasl.oauthbearer.method` is set to "jwt". <br>*Type: string*
-sasl.oauthbearer.token.issuer            |  *  |                 |               | low        | token_issuer. Only used when `sasl.oauthbearer.method` is set to "jwt". <br>*Type: string*
-sasl.oauthbearer.token_audience          |  *  |                 |               | low        | token_audience. Only used when `sasl.oauthbearer.method` is set to "jwt". <br>*Type: string*
-sasl.oauthbearer.token_target_audience   |  *  |                 |               | low        | token_target_audience. Only used when `sasl.oauthbearer.method` is set to "jwt". <br>*Type: string*
+sasl.oauthbearer.assertion.algorithm     |  *  | RS256, ES256    |         RS256 | low        | This is the algorithm the client should use to sign the assertion sent to the identity provider and in the OAuth alg header in the JWT assertion. <br>*Type: enum value*
 plugin.library.paths                     |  *  |                 |               | low        | List of plugin libraries to load (; separated). The library search path is platform dependent (see dlopen(3) for Unix and LoadLibrary() for Windows). If no filename extension is specified the platform-specific extension (such as .dll or .so) will be appended automatically. <br>*Type: string*
 interceptors                             |  *  |                 |               | low        | Interceptors added through rd_kafka_conf_interceptor_add_..() and any configuration handled by interceptors. <br>*Type: see dedicated API*
 group.id                                 |  C  |                 |               | high       | Client group id string. All clients sharing the same group.id belong to the same group. <br>*Type: string*

src/rdkafka.c

@@ -2433,7 +2433,8 @@ rd_kafka_t *rd_kafka_new(rd_kafka_type_t type,
                 RD_KAFKA_SASL_OAUTHBEARER_METHOD_OIDC &&
             !rk->rk_conf.sasl.oauthbearer.token_refresh_cb) {
                 /* Use JWT bearer */
-                if (!rk->rk_conf.sasl.oauthbearer.private_key_id) {
+                if (rk->rk_conf.sasl.oauthbearer.grant_type ==
+                    RD_KAFKA_SASL_OAUTHBEARER_GRANT_TYPE_OIDC) {
                         rd_kafka_conf_set_oauthbearer_token_refresh_cb(
                             &rk->rk_conf, rd_kafka_oidc_token_refresh_cb);
                 } else {