Client authentication using OAuth 2.0 access tokens
This module is used to support the Pulsar client authentication plugin for OAuth 2.0. After communicating with the OAuth 2.0 server, the Pulsar client gets an from the OAuth 2.0 server, and passes this access token
to the Pulsar broker to do the authentication. The broker can use the org.apache.pulsar.broker.authentication.AuthenticationProviderToken
. Or, you can add your own AuthenticationProvider
to make it with this module.
This library allows you to authenticate the Pulsar client by using an access token that is obtained from an OAuth 2.0 authorization service, which acts as a token issuer.
The authentication type determines how to obtain an access token through an OAuth 2.0 authorization flow.
note
Currently, the Pulsar Java client only supports the client_credentials
authentication type .
Client credentials
The following table lists parameters supported for the client credentials
authentication type.
The credentials file contains service account credentials used with the client authentication type. The following shows an example of a credentials file credentials_file.json
.
In the above example, the authentication type is set to client_credentials
by default. And the fields “client_id” and “client_secret” are required.
Typical original OAuth2 request mapping
curl --request POST \
--url https://dev-kt-aa9ne.us.auth0.com \
--header 'content-type: application/json' \
--data '{
"client_id":"Xd23RHsUnvUlP7wchjNYOaIfazgeHd9x",
"client_secret":"rT7ps7WY8uhdVuBTKWZkttwLdQotmdEliaM5rLfmgNibvqziZ-g07ZH52N_poGAb",
"audience":"https://dev-kt-aa9ne.us.auth0.com/api/v2/",
"grant_type":"client_credentials"}'
In the above example, the mapping relationship is shown as below.
- The
issuerUrl
parameter in this plugin is mapped to--url https://dev-kt-aa9ne.us.auth0.com
. - The
privateKey
file parameter in this plugin should at least contains theclient_id
andclient_secret
fields. - The
audience
parameter in this plugin is mapped to"audience":"https://dev-kt-aa9ne.us.auth0.com/api/v2/"
. This field is only used by some identity providers.
You can use the OAuth2 authentication provider with the following Pulsar clients.
Java client
You can use the factory method to configure authentication for Pulsar Java client.
URL issuerUrl = new URL("https://dev-kt-aa9ne.us.auth0.com");
URL credentialsUrl = new URL("file:///path/to/KeyFile.json");
String audience = "https://dev-kt-aa9ne.us.auth0.com/api/v2/";
PulsarClient client = PulsarClient.builder()
.authentication(
AuthenticationFactoryOAuth2.clientCredentials(issuerUrl, credentialsUrl, audience))
.build();
In addition, you can also use the encoded parameters to configure authentication for Pulsar Java client.
The C++ client is similar to the Java client. You need to provide the parameters of , private_key
(the credentials file path), and audience
.
#include <pulsar/Client.h>
pulsar::ClientConfiguration config;
std::string params = R"({
"issuer_url": "https://dev-kt-aa9ne.us.auth0.com",
"private_key": "../../pulsar-broker/src/test/resources/authentication/token/cpp_credentials_file.json",
"audience": "https://dev-kt-aa9ne.us.auth0.com/api/v2/"})";
config.setAuth(pulsar::AuthOauth2::create(params));
pulsar::Client client("pulsar://broker.example.com:6650/", config);
Go client
To enable OAuth2 authentication in Go client, you need to configure OAuth2 authentication. This example shows how to configure OAuth2 authentication in Go client.
oauth := pulsar.NewAuthenticationOAuth2(map[string]string{
"type": "client_credentials",
"issuerUrl": "https://dev-kt-aa9ne.us.auth0.com",
"audience": "https://dev-kt-aa9ne.us.auth0.com/api/v2/",
"privateKey": "/path/to/privateKey",
"clientId": "0Xx...Yyxeny",
})
client, err := pulsar.NewClient(pulsar.ClientOptions{
URL: "pulsar://my-cluster:6650",
Authentication: oauth,
})
Python client
To enable OAuth2 authentication in Python client, you need to configure OAuth2 authentication. This example shows how to configure OAuth2 authentication in Python client.
const Pulsar = require('pulsar-client');
const issuer_url = process.env.ISSUER_URL;
const private_key = process.env.PRIVATE_KEY;
const audience = process.env.AUDIENCE;
const scope = process.env.SCOPE;
const service_url = process.env.SERVICE_URL;
const client_id = process.env.CLIENT_ID;
const client_secret = process.env.CLIENT_SECRET;
const params = {
issuer_url: issuer_url
}
if (private_key.length > 0) {
params['private_key'] = private_key
} else {
params['client_id'] = client_id
params['client_secret'] = client_secret
if (audience.length > 0) {
params['audience'] = audience
}
if (scope.length > 0) {
params['scope'] = scope
}
const auth = new Pulsar.AuthenticationOauth2(params);
// Create a client
const client = new Pulsar.Client({
serviceUrl: service_url,
tlsAllowInsecureConnection: true,
authentication: auth,
});
await client.close();
})();
This section describes how to use Pulsar CLI tools to connect a cluster through OAuth2 authentication plugin.
pulsar-admin
This example shows how to use pulsar-admin to connect to a cluster through OAuth2 authentication plugin.
bin/pulsar-admin --admin-url https://streamnative.cloud:443 \
--auth-plugin org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2 \
--auth-params '{"privateKey":"file:///path/to/key/file.json",
"issuerUrl":"https://dev-kt-aa9ne.us.auth0.com",
"audience":"https://dev-kt-aa9ne.us.auth0.com/api/v2/"}' \
tenants list
Set the admin-url
parameter to the Web service URL. A Web service URLis a combination of the protocol, hostname and port ID, such as pulsar://localhost:6650
. Set the privateKey
, issuerUrl
, and audience
parameters to the values based on the configuration in the key file. For details, see authentication types.
pulsar-client
This example shows how to use pulsar-client to connect to a cluster through OAuth2 authentication plugin.
Set the admin-url
parameter to the Web service URL. A Web service URLis a combination of the protocol, hostname and port ID, such as pulsar://localhost:6650
. Set the privateKey
, issuerUrl
, and audience
parameters to the values based on the configuration in the key file. For details, see authentication types.
This example shows how to use pulsar-perf to connect to a cluster through OAuth2 authentication plugin.
bin/pulsar-perf produce --service-url pulsar+ssl://streamnative.cloud:6651 \
--auth-plugin org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2 \
--auth-params '{"privateKey":"file:///path/to/key/file.json",
"issuerUrl":"https://dev-kt-aa9ne.us.auth0.com",
-r 1000 -s 1024 test-topic