Using bearer tokens and the registry client.

[davidradl]

Hi ,
I am looking at adding Apicurio support to Flink, by introducing a Flink Avro Apicurio format that will work with Kafka.

For inbound flows I am looking for the global ID in the header (or else where) and calling up using the registry client to get the Avro schema
For outbound flows I am registering a schema using the Registry client.

I have these cases working without security and am looking to drive the registry client with security. I see the RegistryClient can be constructed with an Auth parameter and there are 2 implementations, one for basic and one for OIDC auth. I assume for basic auth I would create a BasicAuth object and populate it with the userid and password. I am not sure how I should populate an OidcAuth object with the bearer token. I don't think I want to be putting the client secret in the config - but could pass a bearer token and Bearer auth credentials source. How do I do this ?

[carlesarnal]

Hello @davidradl,

For OIDC auth you must pass your client_id and client_secret to the RegistryClient. What will happen internally is that a Client Credentials Flow will be executed against the authentication server (basically the pair will be exchanged for a valid token). Your credentials are not shared with the server, they remain at the client application level. Given the nature of bearer tokens (it depends on the server, but normally they last for one hour) this is the usual interaction, configure the client application with a client_id and client_secret pair. You would want to create a separate client per each client application so you do not share the credentials across all of them. Here you have a code example of how to configure the Registry client.

[davidradl]

@carlesarnal esarnal Thanks that is really helpful