The FlowX.AI platform supports enabling Kafka authentication across all Java microservices using a dedicated Spring configuration profile. This feature simplifies the activation of secure Kafka communication by centralizing the configuration in one place.
Currently, kafka-auth is the only supported profile provided by the platform for Kafka authentication.
Understanding SPRING_PROFILES_ACTIVE
SPRING_PROFILES_ACTIVE is an environment variable used by Spring Boot to determine which configuration profiles should be active at runtime.
Key characteristics
- Multiple profiles: Can contain one or more profile names, separated by commas
- Example:
SPRING_PROFILES_ACTIVE=dev,kafka-auth
- Environment-specific behavior: Profiles allow different sets of configuration to be loaded depending on the environment or required feature set
- Special kafka-auth profile: Activates Kafka authentication across services
If SPRING_PROFILES_ACTIVE is not set, the application runs with the default profile, which does not include Kafka authentication.
Configuration details
When the kafka-auth profile is enabled, the following Spring Kafka properties are automatically applied:
spring.config.activate.on-profile: kafka-auth
spring:
kafka:
security.protocol: "SASL_PLAINTEXT"
properties:
sasl:
mechanism: "OAUTHBEARER"
jaas.config: >
org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
oauth.client.id="${KAFKA_OAUTH_CLIENT_ID:kafka}"
oauth.client.secret="${KAFKA_OAUTH_CLIENT_SECRET:kafka-secret}"
oauth.token.endpoint.uri="${KAFKA_OAUTH_TOKEN_ENDPOINT_URI:kafka.auth.localhost}" ;
login.callback.handler.class: io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
Configuration properties explained
| Property | Purpose | Value |
|---|
spring.kafka.security.protocol | Defines Kafka communication protocol | SASL_PLAINTEXT |
spring.kafka.properties.sasl.mechanism | Authentication mechanism used for SASL | OAUTHBEARER |
spring.kafka.properties.sasl.jaas.config | JAAS login configuration referencing environment variables | See configuration |
spring.kafka.properties.sasl.login.callback.handler.class | Callback handler for OAuth authentication | io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler |
Required environment variables
The Kafka authentication profile uses environment variables to configure OAuth parameters dynamically. These variables should be set in the runtime environment for each microservice.
| Environment Variable | Default Value | Description |
|---|
KAFKA_OAUTH_CLIENT_ID | kafka | OAuth client ID used to authenticate with the token endpoint |
KAFKA_OAUTH_CLIENT_SECRET | kafka-secret | Secret associated with the OAuth client ID |
KAFKA_OAUTH_TOKEN_ENDPOINT_URI | kafka.auth.localhost | OAuth token endpoint URI from which access tokens are obtained |
These variables should be set in the runtime environment. If they are not provided, the defaults listed above will be used.
Benefits
Enabling the Kafka authentication profile provides several advantages:
- Centralized enablement: Activates OAuth-based Kafka authentication consistently across services.
- Configurable via environment variables: No hardcoding of sensitive data in app configuration.
- Simple activation: Controlled entirely by the
SPRING_PROFILES_ACTIVE variable.
Notes and limitations
- Only the kafka-auth profile is currently supported for Kafka authentication.
- The profile enforces SASL/OAUTHBEARER with plaintext transport. Secure networking (for example, VPN, mTLS) should be ensured where required.
