common/kafka: ability to specify OAuth scopes

2025-12-11 22:14:02 +01:00 · 2025-05-02 06:54:03 +02:00
parent 55b74a1954
commit a70744429a
4 changed files with 14 additions and 9 deletions
--- a/common/kafka/config.go
+++ b/common/kafka/config.go
@@ -17,6 +17,7 @@ import (
 	"github.com/IBM/sarama"
 	"github.com/gin-gonic/gin"
 	"github.com/go-viper/mapstructure/v2"
+	"golang.org/x/oauth2/clientcredentials"
 )

 // Configuration defines how we connect to a Kafka cluster.
@@ -43,6 +44,8 @@ type SASLConfiguration struct {
 	Mechanism SASLMechanism `validate:"required_with=SASLUsername"`
 	// OAuthTokenURL tells which URL to use to get an OAuthToken
 	OAuthTokenURL string `validate:"required_if=Mechanism 4,excluded_unless=Mechanism 4,omitempty,url"`
+	// OAuthScopes defines the scopes to send for OAuth mechanism
+	OAuthScopes []string
 }

 // DefaultConfiguration represents the default configuration for connecting to Kafka.
@@ -135,8 +138,12 @@ func NewConfig(config Configuration) (*sarama.Config, error) {
 			kafkaConfig.Net.SASL.TokenProvider = newOAuthTokenProvider(
 				context.Background(), // TODO should be bound to the component lifecycle, but no component here
 				tlsConfig,
-				config.SASL.Username, config.SASL.Password,
-				config.SASL.OAuthTokenURL)
+				clientcredentials.Config{
+					ClientID:     config.SASL.Username,
+					ClientSecret: config.SASL.Password,
+					TokenURL:     config.SASL.OAuthTokenURL,
+					Scopes:       config.SASL.OAuthScopes,
+				})
 		default:
 			return nil, fmt.Errorf("unknown SASL mechanism: %s", config.SASL.Mechanism)
 		}
--- a/common/kafka/config_test.go
+++ b/common/kafka/config_test.go
@@ -214,6 +214,7 @@ func TestTLSConfiguration(t *testing.T) {
 						"password":        "bye",
 						"mechanism":       "oauth",
 						"oauth-token-url": "http://example.com/token",
+						"oauth-scopes":    "one,two",
 					},
 				}
 			},
@@ -231,6 +232,7 @@ func TestTLSConfiguration(t *testing.T) {
 					Password:      "bye",
 					Mechanism:     SASLOauth,
 					OAuthTokenURL: "http://example.com/token",
+					OAuthScopes:   []string{"one", "two"},
 				},
 			},
 		}, {
--- a/common/kafka/oauth.go
+++ b/common/kafka/oauth.go
@@ -19,12 +19,7 @@ type tokenProvider struct {
 }

 // newOAuthTokenProvider returns a sarama.AccessTokenProvider using OAuth credentials.
-func newOAuthTokenProvider(ctx context.Context, tlsConfig *tls.Config, clientID, clientSecret, tokenURL string) sarama.AccessTokenProvider {
-	cfg := clientcredentials.Config{
-		ClientID:     clientID,
-		ClientSecret: clientSecret,
-		TokenURL:     tokenURL,
-	}
+func newOAuthTokenProvider(ctx context.Context, tlsConfig *tls.Config, oauthConfig clientcredentials.Config) sarama.AccessTokenProvider {
 	httpClient := &http.Client{Transport: &http.Transport{
 		Proxy:           http.ProxyFromEnvironment,
 		TLSClientConfig: tlsConfig,
@@ -32,7 +27,7 @@ func newOAuthTokenProvider(ctx context.Context, tlsConfig *tls.Config, clientID,
 	ctx = context.WithValue(ctx, oauth2.HTTPClient, httpClient)

 	return &tokenProvider{
-		tokenSource: cfg.TokenSource(context.Background()),
+		tokenSource: oauthConfig.TokenSource(context.Background()),
 	}
 }

--- a/console/data/docs/02-configuration.md
+++ b/console/data/docs/02-configuration.md
@@ -752,6 +752,7 @@ The following keys are accepted for SASL configuration:
  set to none when SASL is used.
 - `oauth-token-url` defines the URL to query to get a valid OAuth token (in this
  case, `username` and `password` are used as client credentials).
+- `oauth-scopes` defines the list of scopes to request for the OAuth token.

 The following keys are accepted for the topic configuration: