In general, the structure of the Oauth2 config looks as follows:
auth:type:OAUTH2oauth2:client:<unique_name>:clientId:xxxclientSecret:yyyscope:openidclient-name:cognito# will be displayed on the login pageprovider:<provider>redirect-uri:http://localhost:8080/login/oauth2/code/<provider>authorization-grant-type:authorization_codeissuer-uri:https://xxxjwk-set-uri:https://yyy/.well-known/jwks.jsonuser-name-attribute:<zzz>custom-params:type:<provider_type># fill this if you're gonna use RBAC. Supported values: cognito, google, github, oauth (for other generic providers)roles-field:groups# required for RBAC, a field name in OAuth token which will contain user's roles/groups
Service Discovery
For specific providers like Github (non-enterprise) and Google (see the current list), you don't have to specify URIs as they're well known.
Furthermore, other providers that support OIDC Service Discovery allow fetching URIs configuration from a /.well-known/openid-configuration endpoint. Depending on your setup, you may only have to set the issuer-uri of your provider to enable OIDC Service Discovery.
Provider config examples
Cognito
kafka:clusters: - name:localbootstrapServers:localhost:9092# ...auth:type:OAUTH2oauth2:client:cognito:clientId:xxxclientSecret:yyyscope:openidclient-name:cognitoprovider:cognitoredirect-uri:http://localhost:8080/login/oauth2/code/cognitoauthorization-grant-type:authorization_codeissuer-uri:https://cognito-idp.eu-central-1.amazonaws.com/eu-central-1_xxxjwk-set-uri:https://cognito-idp.eu-central-1.amazonaws.com/eu-central-1_xxx/.well-known/jwks.jsonuser-name-attribute:cognito:usernamecustom-params:type:cognitologoutUrl:https://<XXX>>.eu-central-1.amazoncognito.com/logout#required just for cognito
Google
kafka:clusters: - name:localbootstrapServers:localhost:9092# ...auth:type:OAUTH2oauth2:client:google:provider:googleclientId:xxx.apps.googleusercontent.comclientSecret:GOCSPX-xxxuser-name-attribute:emailcustom-params:type:googleallowedDomain:kafbat.io# for RBAC
auth:type:OAUTH2oauth2:client:okta:clientId:xxxclientSecret:yyyscope: [ 'openid','profile','email','groups' ] # default for okta + groups for rbacclient-name:Oktaprovider:oktaredirect-uri:http://localhost:8080/login/oauth2/code/oktaauthorization-grant-type:authorization_codeissuer-uri:https://<okta_domain>.okta.comjwk-set-uri:https://yyy/.well-known/jwks.jsonuser-name-attribute:sub# default for okta, "email" also availablecustom-params:type:oauthroles-field:groups# required for RBAC