> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flowx.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Kafka Authentication profile

> Enable secure Kafka communication across Java microservices using Spring configuration profiles

The FlowX.AI platform supports enabling **Kafka authentication** across all Java microservices using a dedicated **Spring configuration profile**. This feature simplifies the activation of secure Kafka communication by centralizing the configuration in one place.

<Info>
  Currently, **kafka-auth is the only supported profile** provided by the platform for Kafka authentication.
</Info>

## Understanding SPRING\_PROFILES\_ACTIVE

`SPRING_PROFILES_ACTIVE` is an environment variable used by Spring Boot to determine which configuration profiles should be active at runtime.

### Key characteristics

* **Multiple profiles**: Can contain one or more profile names, separated by commas
  * Example: `SPRING_PROFILES_ACTIVE=dev,kafka-auth`
* **Environment-specific behavior**: Profiles allow different sets of configuration to be loaded depending on the environment or required feature set
* **Special kafka-auth profile**: Activates Kafka authentication across services

<Warning>
  If `SPRING_PROFILES_ACTIVE` is not set, the application runs with the **default profile**, which does **not** include Kafka authentication.
</Warning>

## Configuration details

When the `kafka-auth` profile is enabled, the following **Spring Kafka properties** are automatically applied:

```yaml theme={"system"}
spring.config.activate.on-profile: kafka-auth

spring:
  kafka:
    security.protocol: "SASL_PLAINTEXT"
    properties:
      sasl:
        mechanism: "OAUTHBEARER"
        jaas.config: >
          org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required
          oauth.client.id="${KAFKA_OAUTH_CLIENT_ID:kafka}"
          oauth.client.secret="${KAFKA_OAUTH_CLIENT_SECRET:kafka-secret}"
          oauth.token.endpoint.uri="${KAFKA_OAUTH_TOKEN_ENDPOINT_URI:kafka.auth.localhost}" ;
        login.callback.handler.class: io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler
```

### Configuration properties explained

| Property                                                    | Purpose                                                    | Value                                                               |
| ----------------------------------------------------------- | ---------------------------------------------------------- | ------------------------------------------------------------------- |
| `spring.kafka.security.protocol`                            | Defines Kafka communication protocol                       | `SASL_PLAINTEXT`                                                    |
| `spring.kafka.properties.sasl.mechanism`                    | Authentication mechanism used for SASL                     | `OAUTHBEARER`                                                       |
| `spring.kafka.properties.sasl.jaas.config`                  | JAAS login configuration referencing environment variables | See configuration                                                   |
| `spring.kafka.properties.sasl.login.callback.handler.class` | Callback handler for OAuth authentication                  | `io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler` |

## Required environment variables

The Kafka authentication profile uses environment variables to configure OAuth parameters dynamically. These variables should be set in the runtime environment for each microservice.

| Environment Variable             | Default Value          | Description                                                    |
| -------------------------------- | ---------------------- | -------------------------------------------------------------- |
| `KAFKA_OAUTH_CLIENT_ID`          | `kafka`                | OAuth client ID used to authenticate with the token endpoint   |
| `KAFKA_OAUTH_CLIENT_SECRET`      | `kafka-secret`         | Secret associated with the OAuth client ID                     |
| `KAFKA_OAUTH_TOKEN_ENDPOINT_URI` | `kafka.auth.localhost` | OAuth token endpoint URI from which access tokens are obtained |

<Warning>
  These variables should be set in the runtime environment. If they are not provided, the defaults listed above will be used.
</Warning>

## Benefits

Enabling the Kafka authentication profile provides several advantages:

* **Centralized enablement**: Activates OAuth-based Kafka authentication consistently across services.
* **Configurable via environment variables**: No hardcoding of sensitive data in app configuration.
* **Simple activation**: Controlled entirely by the `SPRING_PROFILES_ACTIVE` variable.

## Notes and limitations

* Only the kafka-auth profile is currently supported for Kafka authentication.
* The profile enforces **SASL/OAUTHBEARER with plaintext transport**. Secure networking (for example, VPN, mTLS) should be ensured where required.