> ## Documentation Index
> Fetch the complete documentation index at: https://docs.streamnative.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure OAuth2 authentication

You can configure [Open Authorization (OAuth2)](https://www.rfc-editor.org/rfc/rfc6749) to allow users to connect to a Pulsar cluster, log in to StreamNative Console, or access the Grafana service with their Auth0, Google, Azure AD, or Okta accounts.

## Configure OAuth2 authentication

To enable OAuth2 authentication, you can configure the OAuth2 authentication property of the StreamNative Platform components in the `values.yaml` YAML file as follows, and then update the resource.

```yaml theme={null}
auth:
  oauth:
    enabled: true # --- [1]
    oauthIssuerUrl: 'your-issuer-url' # --- [2]
    oauthAudience: 'your-application-id' # --- [3]
    oauthSubjectClaim: 'oid' # --- [4]
    oauthScopeClaim: 'scp' # --- [5]
    oauthAuthzRoleClaim: 'roles' # --- [6]
    # The name of the role when creating the application
    oauthAuthzAdminRole: 'admin-approle' # --- [7]
    brokerClientCredential: '' # --- [8]
    brokerClientAuthenticationPlugin: org.apache.pulsar.client.impl.auth.oauth2.AuthenticationOAuth2 # --- [9]
    brokerClientAuthenticationParameters: '' # --- [10]
    authenticationProvider: 'io.streamnative.pulsar.broker.authentication.AuthenticationProviderOAuth' # --- [11]
    authorizationProvider: 'io.streamnative.pulsar.broker.authorization.AuthorizationProviderOAuth' # --- [12]
```

* \[1] `enabled`: Required. Set it to `true` if you want to enable OAuth2 authentication. By default, it is set to `false`.
* \[2] `oauthIssuerUrl`: Required. The URL of your OAuth2 identity provider that allows a Pulsar client to obtain an access token.
* \[3] `oauthAudience`: Required. The identifier that all tokens must be issued for.
* \[4] `oauthSubjectClaim`: Required. The JWT claim that is used as the user name. By default, it is set to `sub`.
* \[5] `oauthScopeClaim`: Required. The JWT claim that is used as the scope claims. By default, it is set to `scope`.
* \[6] `oauthAuthzRoleClaim`: Required. The JWT claim that is used as the authentication role.
* \[7] `oauthAuthzAdminRole`: Required. The Authentication Role to operate as a Pulsar superuser.
* \[8] `brokerClientCredential`: Optional. It is used to create a credential with the client ID and the Secret.
* \[9] `brokerClientAuthenticationPlugin`: Optional. The broker authentication plugin.
* \[10] `brokerClientAuthenticationParameters`: Optional. The authentication parameters that are set on the broker. It contains a path to the broker's key file, as mounted into the broker pod.
* \[11] `authenticationProvider`: Required. The authentication provider that identifies a client and then assigns a role token to that client. By default, it is set to `io.streamnative.pulsar.broker.authentication.AuthenticationProviderOAuth`.
* \[12] `authorizationProvider`: Required. The authorization provider that authorizes a service account. By default, it is set to `io.streamnative.pulsar.broker.authorization.AuthorizationProviderOAuth`.

Currently, StreamNative Platform supports Auth0 and Azure AD OAuth2 authentication.

### Configure Auth0 OAuth2 authentication

This section describes how to configure Auth0 OAuth2 authentication for StreamNative Platform.

1. Create an Auth0 tenant and domain.

   For details, see [create a tenant and domain](https://auth0.com/docs/get-started/auth0-overview/create-tenants#create-a-tenant-and-domain).

2. Register StreamNative Platform in [Auth0 Dashboard](https://manage.auth0.com/?_gl=1*r7s8e6*rollup_ga*MTg4NjkxODQwNy4xNjYyMzY1OTMx*rollup_ga_F1G3E656YZ*MTY2NjI0NjA5Ni42LjEuMTY2NjI0NjQyMi41Ny4wLjA.#/applications).

   For details, see [register regular Web applications](https://auth0.com/docs/get-started/auth0-overview/create-applications/regular-web-apps).

3. Set up an enterprise connection in Auth0.

   For details, see [create an enterprise connection using the Dashboard](https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/oidc#create-an-enterprise-connection-using-the-dashboard).

4. Enable Auth0 OAuth2 authentication for StreamNative Platform.

   ```yaml theme={null}
   auth:
     oauth:
       enabled: true # --- [1]
       oauthIssuerUrl: 'https://<you_domain>.au.auth0.com' # --- [2]
       oauthAudience: 'your-client-id' # --- [3]
       oauthSubjectClaim: 'oid'
       oauthScopeClaim: 'scp'
       # other configs
   ```

   * \[1] `enabled`: enable Auth0 OAuth2 authentication.
   * \[2] `oauthIssuerUrl`: the URL of the Auth0 OAuth2 identity provider that allows a Pulsar client to obtain an access token.
   * \[3] `oauthAudience`: the Auth0 OAuth2 client ID that is used by StreamNative Platform for requesting an Auth0 OAuth2 token.

### Configure Azure AD OAuth2 authentication

This section describes how to configure Azure AD OAuth2 authentication for StreamNative Platform.

1. Register StreamNative Platform in [Azure Portal](https://portal.azure.com/).

   * Use an application name that represents the cluster, such as "sn-platform".
   * Skip defining a redirect URI.
   * Stash the Application client ID (on the **Overview** page) for later.

   For details, see [register an application](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#register-an-application).

2. Add credentials.

   With credentials, your application can authenticate as itself, requiring no interaction from a user at runtime. You can add both [certificates](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-certificate) and client [secrets](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-a-client-secret) (a string) as credentials to your application. For details, see [add credentials](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app#add-credentials).

3. Expose an API.

   For details, see [configure an application to expose a web API](https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis).

4. Define an App Role for superuser administrative access to StreamNative Platform.

   For details, see [App roles UI](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#app-roles-ui).

5. Define the API permissions that are granted to Pulsar cluster's service account.

   For details, see [assign app roles to applications](https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#assign-app-roles-to-applications).

6. Grant the admin consent.

   Navigate to the **Enterprise application** view of the Pulsar cluster. Azure will prompt you to grant the [admin consent](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/user-admin-consent-overview#admin-consent) for your applications. For details, see [grant admin consent in App registrations](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=portal#grant-admin-consent-in-app-registrations).

7. Enable Azure AD OAuth2 authentication for StreamNative Platform.

   ```yaml theme={null}
   auth:
     oauth:
       enabled: true # --- [1]
       oauthIssuerUrl: 'https://login.microsoftonline.com/{your-tenant-id}/v2.0' # --- [2]
       oauthAudience: 'your-application-id' # --- [3]
       # other configs
   ```

   * \[1] `enabled`: enable Azure AD OAuth2 authentication.
   * \[2] `oauthIssuerUrl`: the URL of the Azure AD OAuth2 identity provider that allows a Pulsar client to obtain an access token.
   * \[3] `oauthAudience`: the OAuth2 client ID that is used by StreamNative Platform for requesting an OAuth2 token.

## Configure multiple OAuth2 identity providers

To configure multiple OAuth2 identity providers for StreamNative Platform, you need to use the `oidcIssuers` option to specify the OAuth2 identity providers and then configure parameters for each of the OAuth2 identity providers. The `oidcIssuers` is a map of multiple OAuth2 identity providers. If it is not set, a single OAuth2 identity provider will be used. For details about how to configure OAuth2 authentication, see [configure OAuth2 authentication](#configure-oauth2-authentication).

This example shows how to enable Auth0 and Azure AD OAuth2 authentication on StreamNative Platform.

```yaml theme={null}
auth:
  oauth:
    enabled: true
    oidcIssuers:
      {
        'https://auth.streamnative.cloud/':
          {
            'audience': 'urn:sn:pulsar:test:test',
            'subjectClaim': 'https://streamnative.io/username',
          },
        'https://login.microsoftonline.com/{tenant_id}/v2.0':
          {
            'audience': 'app_client_id',
            'authzAdminRole': 'admin-approle',
            'authzRoleClaim': 'roles',
            'scopeClaim': 'scp',
            'subjectClaim': 'oid',
          },
      }
```

## Enable OAuth2 authentication for StreamNative Console

Currently, you can configure Google, Microsoft Azure AD, and Okta OAuth2 authentication for StreamNative Console. For details, see [configure login methods](/private-cloud/v1/streamnative-console/streamnative-console#configure-login-methods).

## Related topics

* [Log in to StreamNative Console](/private-cloud/v1/streamnative-console/login-console#login-for-oauth2-authentication)
* [Access the Grafana service through Azure AD OAuth2 authentication](/private-cloud/v1/monitor/grafana#azure-ad-oauth2-authentication)
