Added OAuthBearer authentication mode (#437)

Co-authored-by: Hakan Altinbasak <hakan.altinbasak@avanade.com>
Co-authored-by: jainharsh98 <jainh@microsoft.com>

Author: nakah

README.md

@@ -344,6 +344,12 @@ Both, trigger and output, can connect to a secure Kafka broker. The following at
 |SslKeyPassword|ssl.key.password|Password for client's certificate|
 |SslCertificateLocation|ssl.certificate.location|Path to client's certificate|
 |SslCaLocation|ssl.ca.location|Path to CA certificate file for verifying the broker's certificate|
+|OAuthBearerMethod|sasl.oauthbearer|OAuth bearer method. Only 'default' or 'oidc'. AuthenticationMode must be set to OAuthBearer
+|OAuthBearerClientId|sasl.oauthbearer.client.id|OIDC ClientId
+|OAuthBearerClientSecret|sasl.oauthbearer.client.secret|OIDC ClientSecret
+|OAuthBearerScope|sasl.oauthbearer.scope|OIDC Scope
+|OAuthBearerTokenEndpointUrl|sasl.oauthbearer.token.endpoint.url|Token endpoint URL
+|OAuthBearerExtensions|sasl.oauthbearer.extensions|Comma separated key/value pair required by Confluent Kafka
 
 Username and password should reference a Azure function configuration variable and not be hardcoded.
 

src/Microsoft.Azure.WebJobs.Extensions.Kafka/Config/BrokerAuthenticationMode.cs

@@ -16,6 +16,7 @@ public enum BrokerAuthenticationMode
         Gssapi,
         Plain,
         ScramSha256,
-        ScramSha512
+        ScramSha512,
+        OAuthBearer
     }
 }

src/Microsoft.Azure.WebJobs.Extensions.Kafka/Config/OAuthBearerMethod.cs

@@ -0,0 +1,18 @@
+// Copyright (c) .NET Foundation. All rights reserved.
+// Licensed under the MIT License. See License.txt in the project root for license information.
+
+using System;
+using System.Collections.Generic;
+using System.Text;
+
+namespace Microsoft.Azure.WebJobs.Extensions.Kafka.Config
+{
+    /// <summary>
+    /// Defines the OAuth bearer method
+    /// </summary>
+    public enum OAuthBearerMethod
+    {
+        Default,
+        Oidc
+    }
+}

src/Microsoft.Azure.WebJobs.Extensions.Kafka/Listeners/KafkaListener.cs

@@ -190,6 +190,14 @@ private ConsumerConfig GetConsumerConfiguration()
                 SslKeyLocation = this.listenerConfiguration.SslKeyLocation,
                 SslKeyPassword = this.listenerConfiguration.SslKeyPassword,
 
+                // OAuthBearer config
+                SaslOauthbearerMethod = this.listenerConfiguration.SaslOAuthBearerMethod,
+                SaslOauthbearerClientId = this.listenerConfiguration.SaslOAuthBearerClientId,
+                SaslOauthbearerClientSecret = this.listenerConfiguration.SaslOAuthBearerClientSecret,
+                SaslOauthbearerScope = this.listenerConfiguration.SaslOAuthBearerScope,
+                SaslOauthbearerTokenEndpointUrl = this.listenerConfiguration.SaslOAuthBearerTokenEndpointUrl,
+                SaslOauthbearerExtensions = this.listenerConfiguration.SaslOAuthBearerExtensions,
+
                 // Values from host configuration
                 StatisticsIntervalMs = this.options.StatisticsIntervalMs,
                 ReconnectBackoffMs = this.options.ReconnectBackoffMs,

src/Microsoft.Azure.WebJobs.Extensions.Kafka/Output/KafkaAttribute.cs

@@ -3,6 +3,7 @@
 
 using System;
 using Microsoft.Azure.WebJobs.Description;
+using Microsoft.Azure.WebJobs.Extensions.Kafka.Config;
 
 namespace Microsoft.Azure.WebJobs.Extensions.Kafka
 {
@@ -82,7 +83,7 @@ public KafkaAttribute()
 
         /// <summary>
         /// SASL mechanism to use for authentication. 
-        /// Allowed values: Gssapi, Plain, ScramSha256, ScramSha512
+        /// Allowed values: Gssapi, Plain, ScramSha256, ScramSha512, OAuthBearer
         /// Default: Plain
         /// 
         /// sasl.mechanism in librdkafka
@@ -158,5 +159,49 @@ public KafkaAttribute()
         /// Password for the Avro Schema Registry
         /// </summary>
         public string SchemaRegistryPassword { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer method.
+        /// Either 'default' or 'oidc'
+        /// sasl.oauthbearer in librdkafka
+        /// </summary>
+        public OAuthBearerMethod OAuthBearerMethod { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer Client Id
+        /// Specify only when OAuthBearerMethod is 'oidc'
+        /// sasl.oauthbearer.client.id in librdkafka
+        /// </summary>
+        public string OAuthBearerClientId { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer Client Secret
+        /// Specify only when OAuthBearerMethod is 'oidc'
+        /// sasl.oauthbearer.client.secret in librdkafka
+        /// </summary>
+        public string OAuthBearerClientSecret { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer scope.
+        /// Client use this to specify the scope of the access request to the broker. 
+        /// Specify only when OAuthBearerMethod is 'oidc'
+        /// sasl.oauthbearer.extensions in librdkafka
+        /// </summary>
+        public string OAuthBearerScope { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer token endpoint url.
+        /// Specify only when OAuthBearerMethod is 'oidc'
+        /// sasl.oauthbearer.token.endpoint.url in librdkafka
+        /// </summary>
+        public string OAuthBearerTokenEndpointUrl { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer extensions.
+        /// Allow additional information to be provided to the broker.
+        /// Comma-separated list of key=value pairs. E.g., "supportFeatureX=true,organizationId=sales-emea"
+        /// sasl.oauthbearer.extensions in librdkafka
+        /// </summary>
+        public string OAuthBearerExtensions { get; set; }
     }
 }

src/Microsoft.Azure.WebJobs.Extensions.Kafka/Output/KafkaProducerFactory.cs

@@ -134,7 +134,7 @@ public ProducerConfig GetProducerConfig(KafkaProducerEntity entity)
                 Debug = kafkaOptions?.LibkafkaDebug,
                 MetadataMaxAgeMs = kafkaOptions?.MetadataMaxAgeMs,
                 SocketKeepaliveEnable = kafkaOptions?.SocketKeepaliveEnable,
-                LingerMs = entity.Attribute.LingerMs
+                LingerMs = entity.Attribute.LingerMs,
             };
 
             if (entity.Attribute.AuthenticationMode != BrokerAuthenticationMode.NotSet)
@@ -147,6 +147,16 @@ public ProducerConfig GetProducerConfig(KafkaProducerEntity entity)
                 conf.SecurityProtocol = (SecurityProtocol)entity.Attribute.Protocol;
             }
 
+            if (entity.Attribute.AuthenticationMode == BrokerAuthenticationMode.OAuthBearer)
+            {
+                conf.SaslOauthbearerMethod = (SaslOauthbearerMethod)entity.Attribute.OAuthBearerMethod;
+                conf.SaslOauthbearerClientId = entity.Attribute.OAuthBearerClientId;
+                conf.SaslOauthbearerClientSecret = entity.Attribute.OAuthBearerClientSecret;
+                conf.SaslOauthbearerScope = entity.Attribute.OAuthBearerScope;
+                conf.SaslOauthbearerTokenEndpointUrl = entity.Attribute.OAuthBearerTokenEndpointUrl;
+                conf.SaslOauthbearerExtensions = entity.Attribute.OAuthBearerExtensions;
+            }
+
             return conf;
         }
     }

src/Microsoft.Azure.WebJobs.Extensions.Kafka/Trigger/KafkaListenerConfiguration.cs

@@ -2,6 +2,7 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using Confluent.Kafka;
+using Microsoft.Azure.WebJobs.Extensions.Kafka.Config;
 
 namespace Microsoft.Azure.WebJobs.Extensions.Kafka
 {
@@ -100,6 +101,51 @@ public class KafkaListenerConfiguration
         /// </summary>
         public long LagThreshold { get; set; }
 
+        /// <summary>
+        /// OAuth Bearer method.
+        /// Either 'default' or 'oidc'
+        /// sasl.oauthbearer in librdkafka
+        /// </summary>
+        public SaslOauthbearerMethod SaslOAuthBearerMethod { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer Client Id
+        /// Specify only when OAuthBearerMethod is 'oidc'
+        /// sasl.oauthbearer.client.id in librdkafka
+        /// </summary>
+        public string SaslOAuthBearerClientId { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer Client Secret
+        /// Specify only when OAuthBearerMethod is 'oidc'
+        /// sasl.oauthbearer.client.secret in librdkafka
+        /// </summary>
+        public string SaslOAuthBearerClientSecret { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer scope.
+        /// Client use this to specify the scope of the access request to the broker. 
+        /// Specify only when OAuthBearerMethod is 'oidc'
+        /// sasl.oauthbearer.extensions in librdkafka
+        /// </summary>
+        public string SaslOAuthBearerScope { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer token endpoint url.
+        /// Specify only when OAuthBearerMethod is 'oidc'
+        /// sasl.oauthbearer.token.endpoint.url in librdkafka
+        /// </summary>
+        public string SaslOAuthBearerTokenEndpointUrl { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer extensions.
+        /// Allow additional information to be provided to the broker.
+        /// Comma-separated list of key=value pairs. E.g., "supportFeatureX=true,organizationId=sales-emea"
+        /// sasl.oauthbearer.extensions in librdkafka
+        /// </summary>
+        public string SaslOAuthBearerExtensions { get; set; }
+
+
         internal void ApplyToConfig(ClientConfig conf)
         {
             if (this.SaslMechanism.HasValue)

src/Microsoft.Azure.WebJobs.Extensions.Kafka/Trigger/KafkaTriggerAttribute.cs

@@ -3,6 +3,7 @@
 
 using Avro.Specific;
 using Microsoft.Azure.WebJobs.Description;
+using Microsoft.Azure.WebJobs.Extensions.Kafka.Config;
 using System;
 
 namespace Microsoft.Azure.WebJobs.Extensions.Kafka
@@ -129,6 +130,50 @@ public KafkaTriggerAttribute(string brokerList, string topic)
         /// </summary>
         public string SchemaRegistryPassword { get; set; }
 
+        /// <summary>
+        /// OAuth Bearer method.
+        /// Either 'default' or 'oidc'
+        /// sasl.oauthbearer in librdkafka
+        /// </summary>
+        public OAuthBearerMethod OAuthBearerMethod { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer Client Id
+        /// Specify only when OAuthBearerMethod is 'oidc'
+        /// sasl.oauthbearer.client.id in librdkafka
+        /// </summary>
+        public string OAuthBearerClientId { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer Client Secret
+        /// Specify only when OAuthBearerMethod is 'oidc'
+        /// sasl.oauthbearer.client.secret in librdkafka
+        /// </summary>
+        public string OAuthBearerClientSecret { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer scope.
+        /// Client use this to specify the scope of the access request to the broker. 
+        /// Specify only when OAuthBearerMethod is 'oidc'
+        /// sasl.oauthbearer.extensions in librdkafka
+        /// </summary>
+        public string OAuthBearerScope { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer token endpoint url.
+        /// Specify only when OAuthBearerMethod is 'oidc'
+        /// sasl.oauthbearer.token.endpoint.url in librdkafka
+        /// </summary>
+        public string OAuthBearerTokenEndpointUrl { get; set; }
+
+        /// <summary>
+        /// OAuth Bearer extensions.
+        /// Allow additional information to be provided to the broker.
+        /// Comma-separated list of key=value pairs. E.g., "supportFeatureX=true,organizationId=sales-emea"
+        /// sasl.oauthbearer.extensions in librdkafka
+        /// </summary>
+        public string OAuthBearerExtensions { get; set; }
+
         bool IsValidValueType(Type value)
         {
             return

src/Microsoft.Azure.WebJobs.Extensions.Kafka/Trigger/KafkaTriggerAttributeBindingProvider.cs

@@ -5,6 +5,7 @@
 using System.Reflection;
 using System.Threading.Tasks;
 using Confluent.Kafka;
+using Microsoft.Azure.WebJobs.Extensions.Kafka.Config;
 using Microsoft.Azure.WebJobs.Extensions.Kafka.Trigger;
 using Microsoft.Azure.WebJobs.Host.Bindings;
 using Microsoft.Azure.WebJobs.Host.Listeners;
@@ -115,6 +116,16 @@ private KafkaListenerConfiguration CreateConsumerConfiguration(KafkaTriggerAttri
                 {
                     consumerConfig.SecurityProtocol = (SecurityProtocol)attribute.Protocol;
                 }
+
+                if (attribute.AuthenticationMode == BrokerAuthenticationMode.OAuthBearer)
+                {
+                    consumerConfig.SaslOAuthBearerMethod = (SaslOauthbearerMethod) attribute.OAuthBearerMethod;
+                    consumerConfig.SaslOAuthBearerClientId = this.config.ResolveSecureSetting(nameResolver, attribute.OAuthBearerClientId);
+                    consumerConfig.SaslOAuthBearerClientSecret = this.config.ResolveSecureSetting(nameResolver, attribute.OAuthBearerClientSecret);
+                    consumerConfig.SaslOAuthBearerScope = this.config.ResolveSecureSetting(nameResolver, attribute.OAuthBearerScope);
+                    consumerConfig.SaslOAuthBearerTokenEndpointUrl = this.config.ResolveSecureSetting(nameResolver, attribute.OAuthBearerTokenEndpointUrl);
+                    consumerConfig.SaslOAuthBearerExtensions = this.config.ResolveSecureSetting(nameResolver, attribute.OAuthBearerExtensions);
+                }
             }
 
             return consumerConfig;