This module is used to support the Pulsar client authentication plugin for OAuth 2.0. After communicating with the Oauth 2.0 server, the Pulsar client gets an from the Oauth 2.0 server, and passes this access token to the Pulsar broker to do the authentication. The broker can use the org.apache.pulsar.broker.authentication.AuthenticationProviderToken. Or, you can add your own AuthenticationProvider to make it with this module.

This library allows you to authenticate the Pulsar client by using an access token that is obtained from an OAuth 2.0 authorization service, which acts as a token issuer.

The authentication type determines how to obtain an access token through an OAuth 2.0 authorization flow.

Note

Client credentials

The credentials file contains service account credentials used with the client authentication type. The following shows an example of a credentials file credentials_file.json.

In the above example, the authentication type is set to by default. And the fields “client_id” and “client_secret” are required.

The following shows a typical original Oauth2 request, which is used to obtain the access token from the Oauth2 server.

  1. curl --request POST \
  2.   --header 'content-type: application/json' \
  3.   --data '{
  4.   "client_id":"Xd23RHsUnvUlP7wchjNYOaIfazgeHd9x",
  5.   "client_secret":"rT7ps7WY8uhdVuBTKWZkttwLdQotmdEliaM5rLfmgNibvqziZ-g07ZH52N_poGAb",
  6.   "audience":"https://dev-kt-aa9ne.us.auth0.com/api/v2/",
  7.   "grant_type":"client_credentials"}'

In the above example, the mapping relationship is shown as below.

  • The issuerUrl parameter in this plugin is mapped to --url https://dev-kt-aa9ne.us.auth0.com/oauth/token.
  • The privateKey file parameter in this plugin should at least contains the client_id and client_secret fields.
  • The audience parameter in this plugin is mapped to "audience":"https://dev-kt-aa9ne.us.auth0.com/api/v2/".

Client Configuration

You can use the factory method to configure authentication for Pulsar Java client.

In addition, you can also use the encoded parameters to configure authentication for Pulsar Java client.

  1. Authentication auth = AuthenticationFactory
  3. PulsarClient client = PulsarClient.builder()
  4.     .authentication(auth)
  5.     .build();

The C++ client is similar to the Java client. You need to provide parameters of issuerUrl, private_key (the credentials file path), and the audience.

To enable OAuth2 authentication in Go client, you need to configure OAuth2 authentication. This example shows how to configure OAuth2 authentication in Go client.

  1. oauth := pulsar.NewAuthenticationOAuth2(map[string]string{
  2.         "type":       "client_credentials",
  3.         "issuerUrl":  "https://dev-kt-aa9ne.us.auth0.com/oauth/token",
  4.         "audience":   "https://dev-kt-aa9ne.us.auth0.com/api/v2/",
  5.         "privateKey": "/path/to/privateKey",
  6.         "clientId":   "0Xx...Yyxeny",
  7.     })
  8. client, err := pulsar.NewClient(pulsar.ClientOptions{
  9.         URL:              "puslar://my-cluster:6650",
  10.         Authentication:   oauth,