Specifies the extension values to send with OAuth auth schemes.

Data Type

string

Default Value

""

Remarks

When authenticating using OAuth, the provider obtains an OAuth access token according to the chosen AuthScheme. The provider uses the Kafka native library to authenticates to the broker using SASL OAUTHBEARER. The OAUTHBEARER mechanism sends the access token along with an optional list of extension settings.

This property accepts a semicolon-separated list of key-value pairs. These options are mapped to extension settings during OAUTHBEARER authentication. For example, clusterId=1;computePool=primary sets the clusterId and computePool extension settings.

Extension settings are vendor-defined, you should refer to your provider's documentation since individual managed Kafka providers may allow (or even require) specific extensions. Providers typically document these settings as JAAS configurations since the Kafka client library is configured with this format. JAAS configurations with extension settings prefix them with extension_. To provide the following configuration to the provider, set SASLOAuthExtensions to logicalCluster=clust-123;identityPoolId=mypool.

sasl.jaas.config= \
  org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required \
    clientId='...'
    scope='...'
    clientSecret='...'
    extension_logicalCluster='clust-123';
    extension_identityPoolId='mypool';

This option only applies to the following AuthScheme configurations. Other authentication schemes ignore this property because they do not use OAUTHBEARER.

• KafkaOAuthClient
• AzureAD
• AzureMSI
• AzureServicePrincipal
• AzureServicePrincipalCert
• OAuthJWT
• GCPInstanceAccount
• AWSWorkloadIdentity