SASL Authentication | Laravel Kafka

 [ Laravel Kafka ](/)

     Search

 ⌘K

  [   Login with GitHub ](https://laravelkafka.com/oauth/github/redirect)

    Docs for version          selected

 v2.11

 v2.10

 v2.9

 v2.8

 v1.13

- - [ Introduction ](/docs/v2.11/introduction)
    - [ Requirements ](/docs/v2.11/requirements)
    - [ Installation and Setup ](/docs/v2.11/installation-and-setup)
    - [ Questions and issues ](/docs/v2.11/questions-and-issues)
    - [ Changelog ](/docs/v2.11/changelog)
    - [ Upgrade guide ](/docs/v2.11/upgrade-guide)
    - [ Example docker-compose file ](/docs/v2.11/example-docker-compose)
- Producing messages
    ------------------

    - [ Producing messages ](/docs/v2.11/producing-messages/producing-messages)
    - [ Configuring your kafka producer ](/docs/v2.11/producing-messages/configuring-producers)
    - [ Configuring message payload ](/docs/v2.11/producing-messages/configuring-message-payload)
    - [ Custom serializers ](/docs/v2.11/producing-messages/custom-serializers)
    - [ Publishing to kafka ](/docs/v2.11/producing-messages/publishing-to-kafka)
- Consuming messages
    ------------------

    - [ Creating a kafka consumer ](/docs/v2.11/consuming-messages/creating-consumer)
    - [ Subscribing to kafka topics ](/docs/v2.11/consuming-messages/subscribing-to-kafka-topics)
    - [ Using regex to subscribe to kafka topics ](/docs/v2.11/consuming-messages/using-regex-to-subscribe-to-kafka-topics)
    - [ Assigning consumers to a topic partition ](/docs/v2.11/consuming-messages/assigning-partitions)
    - [ Consuming messages from specific offsets ](/docs/v2.11/consuming-messages/consuming-from-specific-offsets)
    - [ Consumer groups ](/docs/v2.11/consuming-messages/consumer-groups)
    - [ Partition Discovery and Dynamic Assignment ](/docs/v2.11/consuming-messages/partition-discovery)
    - [ Message handlers ](/docs/v2.11/consuming-messages/message-handlers)
    - [ Configuring consumer options ](/docs/v2.11/consuming-messages/configuring-consumer-options)
    - [ Custom deserializers ](/docs/v2.11/consuming-messages/custom-deserializers)
    - [ Consuming messages ](/docs/v2.11/consuming-messages/consuming-messages)
    - [ Class structure ](/docs/v2.11/consuming-messages/class-structure)
    - [ Queueable handlers ](/docs/v2.11/consuming-messages/queueable-handlers)
- Advanced usage
    --------------

    - [ Replacing the default serializer/deserializer ](/docs/v2.11/advanced-usage/replacing-default-serializer)
    - [ Graceful shutdown ](/docs/v2.11/advanced-usage/graceful-shutdown)
    - [ SASL Authentication ](/docs/v2.11/advanced-usage/sasl-authentication)
    - [ Custom Committers ](/docs/v2.11/advanced-usage/custom-committers)
    - [ Manual Commit ](/docs/v2.11/advanced-usage/manual-commit)
    - [ Middlewares ](/docs/v2.11/advanced-usage/middlewares)
    - [ Stop consumer after last messages ](/docs/v2.11/advanced-usage/stop-consumer-after-last-message)
    - [ Stop consumer on demand ](/docs/v2.11/advanced-usage/stopping-a-consumer)
    - [ Writing custom loggers ](/docs/v2.11/advanced-usage/custom-loggers)
    - [ Before and after callbacks ](/docs/v2.11/advanced-usage/before-callbacks)
    - [ Setting global configurations ](/docs/v2.11/advanced-usage/setting-global-configuration)
    - [ Sending multiple messages with the same producer ](/docs/v2.11/advanced-usage/sending-multiple-messages-with-the-same-producer)
- Testing
    -------

    - [ Kafka fake ](/docs/v2.11/testing/fake)
    - [ Assert Published ](/docs/v2.11/testing/assert-published)
    - [ Assert published On ](/docs/v2.11/testing/assert-published-on)
    - [ Assert nothing published ](/docs/v2.11/testing/assert-nothing-published)
    - [ Assert published times ](/docs/v2.11/testing/assert-published-times)
    - [ Assert published on times ](/docs/v2.11/testing/assert-published-on-times)
    - [ Mocking your kafka consumer ](/docs/v2.11/testing/mocking-your-kafka-consumer)

  SASL Authentication
=====================

Support Laravel Kafka by sponsoring me!

Do you find Laravel Kafka valuable and wanna support its development?

Laravel Kafka is free and Open Source software, built to empower developers like you. Your support helps maintain and enhance the project. If you find it valuable, please consider sponsoring me on GitHub. Every contribution makes a difference and keeps the development going strong! Thank you!

   [ Become a Sponsor ](https://github.com/sponsors/mateusjunges)

 Want to hide this message? Sponsor at any tier of $10/month or more!

SASL allows your producers and your consumers to authenticate to your Kafka cluster, which verifies their identity. It's also a secure way to enable your clients to endorse an identity. To provide SASL configuration, you can use the `withSasl` method, passing a `Junges\Kafka\Config\Sasl` instance as the argument:

         ```
$consumer = \Junges\Kafka\Facades\Kafka::consumer()
    ->withSasl(
        password: 'password',
        username: 'username',
        mechanisms: 'authentication mechanism'
    );
```

You can also set the security protocol used with sasl. It's optional and by default `SASL_PLAINTEXT` is used, but you can set it to `SASL_SSL`:

         ```
$consumer = \Junges\Kafka\Facades\Kafka::consumer()
    ->withSasl(
        password: 'password',
        username: 'username',
        mechanisms: 'authentication mechanism',
        securityProtocol: 'SASL_SSL',
    );
```

                       Hot tip!

 When using the `withSasl` method, the securityProtocol set in this method takes priority over `withSecurityProtocol` method.

### [](#content-oauthbearer-authentication "Permalink")OAUTHBEARER Authentication

If your Kafka cluster requires OAuth 2.0 / OAUTHBEARER authentication (common with Confluent Cloud, AWS MSK with IAM, or enterprise deployments), you can use the `withOAuthBearerTokenRefreshCallback` method. This registers a callback that librdkafka invokes whenever it needs a fresh token.

         ```
use Junges\Kafka\Facades\Kafka;

$consumer = Kafka::consumer(['my.topic'])
    ->withOptions([
        'security.protocol' => 'SASL_SSL',
        'sasl.mechanisms'   => 'OAUTHBEARER',
    ])
    ->withOAuthBearerTokenRefreshCallback(function ($consumer, string $oauthConfig): void {
        $token      = fetchTokenFromIdP();
        $expiresMs  = getTokenExpiryMs($token);
        $principal   = 'my-client-id';
        $extensions = [
            'logicalCluster' => 'lkc-xxxxx',
            'identityPoolId' => 'pool-xxxxx',
        ];

        $consumer->oauthbearerSetToken($token, $expiresMs, $principal, $extensions);
    })
    ->withHandler(new MyMessageHandler())
    ->build()
    ->consume();
```

The callback receives two arguments: the `RdKafka\KafkaConsumer` (or `RdKafka\Producer`) instance and the `oauthbearer_config` string from your librdkafka configuration. Inside the callback, call `$consumer->oauthbearerSetToken()` to provide the token, or `$consumer->oauthbearerSetTokenFailure($reason)` if the token could not be obtained.

This method is available on both the consumer and producer builders.

### [](#content-tls-authentication "Permalink")TLS Authentication

For using TLS authentication with Laravel Kafka you can configure your client using the following options:

         ```
$consumer = \Junges\Kafka\Facades\Kafka::consumer()
    ->withOptions([
        'ssl.ca.location' => '/some/location/kafka.crt',
        'ssl.certificate.location' => '/some/location/client.crt',
        'ssl.key.location' => '/some/location/client.key',
        'ssl.endpoint.identification.algorithm' => 'none'
    ]);
```

 Previous  [ Graceful shutdown    ](https://laravelkafka.com/docs/v2.11/advanced-usage/graceful-shutdown)

 Next  [ Custom Committers    ](https://laravelkafka.com/docs/v2.11/advanced-usage/custom-committers)

Sponsors

 [ version="1.0" encoding="UTF-8"?       EasyCal ](https://easycal.app/)

 [       Search  ⌘ K   ](https://typesense.org/)