Keycloack with kafka


I’ve spent the day looking through documentation and trying to get a full setup up and running to have Kafka authentication and authorization up and ready.

Most of it actually works pretty well but my company has two specific requirements:

  • Authentication is done through okta
  • We use active directory for permissions

So I’ve been trying to work on the first part and setup Okta as an Identity provider for my KeyCloack setup with OpenID Connect and it works really well through the UI…

That’s the catch, kafka is not a simple web app I can redirect to. In the github Kafka doc above they use a script that fetch an access_token or refresh_token with Oauth2 through keycloack rest API.

And this is where I’m getting lost. Ideally I’m trying to get a nice workflow for the user where he would login to keycloack UI realm using the Okta connect and then get redirected to a page which gives him a token he can use for a few hours to do his work.

The whole issue here is how can the user get his token ? Right now the user can login to keycloack realm using okta and gets redirect back to keycloack UI with his account info… and that’s it. The only info missing is that refresh/access token value.

I am new to Keycloack and Okta and I’m really confused on this. Is there any lead I could follow ? As anyone tried a similar setup ?

Thanks a lot

In the document (OAuth2 support for Apache Kafka) you linked to, it states:

Configuring the authorization server

At your authorization server, you need to configure a client for Kafka broker, and a client for each of your client applications.

Keycloak is you Authorization server. Okta is your IdP (that you federate to).

From your client application (e.g., your Angular app) you use OpenId Connect (e.g., Authorization Code Flow with PKCE) to obtain an access token with the required scopes and claims.