Configure OIDC SSO for the Confluent CLI on Confluent Platform

OpenID Connect (OIDC) is an authentication layer built on top of the OAuth 2.0 protocol. Authentication with OIDC on Confluent Platform permits you to integrate with an identity provider (IdP) such as Okta to support one or more authentication flows. For example, your integration could have an SSO OIDC flow for authenticating users and another flow for client application or service credential authentication. The example on this page for the Confluent CLI configures an OIDC SSO flow that authenticates users only.

The Confluent CLI uses device grant flow. The Metadata Service (MDS) acts as the intermediary that enables the OIDC SSO flow where MDS interacts primarily with the identity provider (IdP). The CLI never directly interacts with the IdP. Thus, to enable OIDC SSO flows for the CLI, you must configure the MDS intermediary.

Configure, Test, and Verify OIDC SSO

Complete the steps in this procedure to configure, test SSO, and verify user access via the Confluent CLI using OpenID Connect (OIDC).

Step 1: Add OIDC properties

1. Add the following OIDC properties to your MDS configuration in your properties file. For ZooKeeper mode this file is $CONFLUENT_HOME/etc/kafka/server.properties or in KRaft mode, $CONFLUENT_HOME/etc/kafka/kraft/broker.properties.

   confluent.metadata.server.sso.mode=oidc
   confluent.oidc.idp.jwks.endpoint.uri=https://your-idp-domain.com/oauth2/your-auth-server-id/v1/jwks_keys
   confluent.oidc.idp.authorize.base.endpoint.uri=https://your-idp-domain.com/oauth2/your-auth-server-id/v1/authorize
   confluent.oidc.idp.device.authorization.endpoint.uri=https://your-idp-domain.com/oauth2/your-auth-server-id/v1/device/authorize
   confluent.oidc.idp.client.id=<client-id>
   confluent.oidc.idp.client.secret=<client-secret>
   confluent.oidc.idp.token.base.endpoint.uri=https://your-idp-domain.com/oauth2/your-auth-server-id/v1/token
   confluent.oidc.idp.issuer=https://your-idp-domain.com/oauth2/your-auth-server-id
   confluent.oidc.idp.refresh.token.enabled=true
   confluent.oidc.session.token.expiry.ms=120000
   confluent.oidc.session.max.timeout.ms=600000
   

   As this configuration is for user authentication only, it requires the endpoints and client app details of the IdP hosting your user identities. Replace your-idp-domain.com and your-auth-server-id with your identity provider’s domain and authorization server ID.

2. Save and close the properties file.

3. Gracefully shutdown and restart the server for your changes to take effect.

Step 2: Install the Confluent CLI

The Confluent CLI is packaged and available in every Confluent Platform release. Single sign-on for Confluent CLI is available starting with version 3.64.3. If you need to update your CLI installation, see the update command.

Step 3: Test SSO sign-in

Once you configure an identity provider, the confluent login command redirects users to a browser to sign in using that provider. This flow happens in environments with a browser or without. For environments with a browser, use the following command:

confluent login --url https://<mds-url>:<mds-port> \
      --certificate-authority-path <path-to-ca-crt>

For an environment without a browser, such as a jump host, add the --no-browser flag, like this:

confluent login --url https://<mds-url>:<mds-port> \
  --certificate-authority-path <path-to-ca-crt> \
  --no-browser

This command asks you for email and prints out of a URL, for example:

Enter your Confluent credentials:
Email: smith@confluent.io
Navigate to the following link in your browser to authenticate:
https://login.confluent.io/authorize?response_type=code&code_challenge=NovO_c6FO44G-6cfRbqTrBcEOrDnvm7GNZLCHCmbPM8&code_challenge_method=S252&client_id=hPbGLM8G55HSaUsaaieiiAprnJaEc3rH&redirect_uri=https://confluent.cloud/cli_callback&scope=email%20openid&audience=https://confluent.auth0.com/api/v2/&state=CoOGX1aQhvwdH2dFSvKV-gh09INnYcXFaYbUnWq3Ekw&connection=big-company

After authenticating in your browser, paste the code here:

Pasting the URL into the browser causes it to display a code. Once you copy and paste back into in the Confluent CLI, your login is complete.

Step 4: Display the user environment

At this point, you should have successfully logged in using SSO. Display your Confluent Platform user environment with the following command:

confluent iam user describe -o json

Step 5: Verify user authorization

Try some Confluent CLI commands that access resources to ensure that the user has the authorization you expect. For example, you can create a Kafka topic (ensure the signed-in user has proper RBAC roles) by running the following Confluent CLI command:

confluent kafka topic create test-topic --url https://<kafka-url>:8090/kafka

Switching back to HTTP Basic Authentication

If you configured CLI SSO on an existing cluster with upgrades, and the metadata store has LDAP server configured as the user store along with OIDC, you have the option to switch back to HTTP Basic Authentication if required.

To switch back to HTTP Basic Authentication and sign in using your username and password, you can use the --prompt flag, like this:

confluent login --url https://<mds-url>:<mds-port> \
  --certificate-authority-path <path-to-ca-crt> \
  --prompt

Session timeout for Confluent CLI SSO sign-in

The confluent.oidc.session.max.timeout.ms property controls the session timeout for signing in with SSO.

If the configuration enables refresh tokens (confluent.oidc.idp.refresh.token.enabled=true), the identity provider’s refresh token settings control the timeout.