Kafka: Add oidc_workload_identity auth type for Azure Workload Identity
Describe the feature
Add a new oidc_workload_identity auth type to the Kafka component (pubsub and bindings) that enables SASL/OAUTHBEARER authentication using Kubernetes Workload Identity — without any secrets or certificates.
Problem: The current OIDC auth types (oidc, oidc_private_key_jwt) require either a client secret or certificate/key material. On AKS with Azure Workload Identity, the platform already injects a short-lived service account token into the pod — but the Kafka component can't use it directly.
Solution: A new auth type that:
- Reads the projected SA token from the filesystem (injected by the Azure Workload Identity webhook)
- Exchanges it with Entra ID for an access token using the
client_assertion grant
- Uses the access token for Kafka SASL/OAUTHBEARER
All configuration (clientID, tokenEndpoint, tokenFilePath, scopes) is auto-resolved from injected environment variables (AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_AUTHORITY_HOST, AZURE_FEDERATED_TOKEN_FILE).
Minimal component YAML:
metadata:
- name: authType
value: oidc_workload_identity
Works with both Azure App Registrations and User-Assigned Managed Identities with Federated Identity Credentials. Also supports Confluent Cloud oidcExtensions for Identity Pool routing.
Business value: Eliminates secret management overhead for Kafka authentication on AKS. Aligns with zero-trust and secretless authentication best practices. Other Dapr Azure components (Event Hubs, Service Bus) already support workload identity — this brings Kafka to parity.
Release Note
RELEASE NOTE: ADD Kafka pubsub/binding: new oidc_workload_identity auth type for Azure Workload Identity (secretless SASL/OAUTHBEARER authentication).
Kafka: Add oidc_workload_identity auth type for Azure Workload Identity
Describe the feature
Add a new
oidc_workload_identityauth type to the Kafka component (pubsub and bindings) that enables SASL/OAUTHBEARER authentication using Kubernetes Workload Identity — without any secrets or certificates.Problem: The current OIDC auth types (
oidc,oidc_private_key_jwt) require either a client secret or certificate/key material. On AKS with Azure Workload Identity, the platform already injects a short-lived service account token into the pod — but the Kafka component can't use it directly.Solution: A new auth type that:
client_assertiongrantAll configuration (clientID, tokenEndpoint, tokenFilePath, scopes) is auto-resolved from injected environment variables (
AZURE_CLIENT_ID,AZURE_TENANT_ID,AZURE_AUTHORITY_HOST,AZURE_FEDERATED_TOKEN_FILE).Minimal component YAML:
Works with both Azure App Registrations and User-Assigned Managed Identities with Federated Identity Credentials. Also supports Confluent Cloud
oidcExtensionsfor Identity Pool routing.Business value: Eliminates secret management overhead for Kafka authentication on AKS. Aligns with zero-trust and secretless authentication best practices. Other Dapr Azure components (Event Hubs, Service Bus) already support workload identity — this brings Kafka to parity.
Release Note
RELEASE NOTE: ADD Kafka pubsub/binding: new
oidc_workload_identityauth type for Azure Workload Identity (secretless SASL/OAUTHBEARER authentication).