Skip to main content
The FlowX.AI platform supports enabling Kafka authentication across all Java microservices using a dedicated Spring configuration profile. This feature simplifies the activation of secure Kafka communication by centralizing the configuration in one place.
Currently, kafka-auth is the only supported profile provided by the platform for Kafka authentication.

Understanding SPRING_PROFILES_ACTIVE

SPRING_PROFILES_ACTIVE is an environment variable used by Spring Boot to determine which configuration profiles should be active at runtime.

Key characteristics

  • Multiple profiles: Can contain one or more profile names, separated by commas
    • Example: SPRING_PROFILES_ACTIVE=dev,kafka-auth
  • Environment-specific behavior: Profiles allow different sets of configuration to be loaded depending on the environment or required feature set
  • Special kafka-auth profile: Activates Kafka authentication across services
If SPRING_PROFILES_ACTIVE is not set, the application runs with the default profile, which does not include Kafka authentication.

Configuration details

When the kafka-auth profile is enabled, the following Spring Kafka properties are automatically applied: 
spring.config.activate.on-profile: kafka-auth

spring:
  kafka:
    security.protocol: "SASL_PLAINTEXT"
    properties:
      sasl:
        mechanism: "OAUTHBEARER"
        jaas.config: >
          org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
          oauth.client.id="${KAFKA_OAUTH_CLIENT_ID:kafka}"
          oauth.client.secret="${KAFKA_OAUTH_CLIENT_SECRET:kafka-secret}"
          oauth.token.endpoint.uri="${KAFKA_OAUTH_TOKEN_ENDPOINT_URI:kafka.auth.localhost}" ;
        login.callback.handler.class: io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler

Configuration properties explained

PropertyPurposeValue
spring.kafka.security.protocolDefines Kafka communication protocolSASL_PLAINTEXT
spring.kafka.properties.sasl.mechanismAuthentication mechanism used for SASLOAUTHBEARER
spring.kafka.properties.sasl.jaas.configJAAS login configuration referencing environment variablesSee configuration
spring.kafka.properties.sasl.login.callback.handler.classCallback handler for OAuth authenticationio.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler

Required environment variables

The Kafka authentication profile uses environment variables to configure OAuth parameters dynamically. These variables should be set in the runtime environment for each microservice.
Environment VariableDefault ValueDescription
KAFKA_OAUTH_CLIENT_IDkafkaOAuth client ID used to authenticate with the token endpoint
KAFKA_OAUTH_CLIENT_SECRETkafka-secretSecret associated with the OAuth client ID
KAFKA_OAUTH_TOKEN_ENDPOINT_URIkafka.auth.localhostOAuth token endpoint URI from which access tokens are obtained
These variables should be set in the runtime environment. If they are not provided, the defaults listed above will be used.

Benefits

Enabling the Kafka authentication profile provides several advantages:
  • Centralized enablement: Activates OAuth-based Kafka authentication consistently across services.
  • Configurable via environment variables: No hardcoding of sensitive data in app configuration.
  • Simple activation: Controlled entirely by the SPRING_PROFILES_ACTIVE variable.

Notes and limitations

  • Only the kafka-auth profile is currently supported for Kafka authentication.
  • The profile enforces SASL/OAUTHBEARER with plaintext transport. Secure networking (for example, VPN, mTLS) should be ensured where required.