Pass through OIDC access_token to Kafka

[spike83]

When using Kafka with OAUTHBEARER and OIDC configured AKHQ we must create a client for the AKHQ to access the Kafka Cluster.
This way we end up having Authorization in Kafka as well as in AKHQ and non functional requirements like audit logging needs to be implemented in two places.

Wouldn't it be possible to forward the users access_token to the Kafka brokers?

I was digging into the code and saw that we have the tokens here where the AuthenticationResponse is created:

akhq/src/main/java/org/akhq/modules/OidcUserDetailsMapper.java

Line 48 in a378c62

public AuthenticationResponse createAuthenticationResponse(String providerName, OpenIdTokenResponse tokenResponse, OpenIdClaims openIdClaims, @Nullable State state) {

On the controllers we get the Authentication object and could pass it through to the repository and to the KafkaWrapper and further down where we create the clients. (probably there is a better option to inject directly but I'm not too deep into micronaut)

This would introduce some overhead since, for each active user+cluster we would need to have a dedicated client. For sure some cleanup would be necessary in order to get rid of unused clients.

Is this something AKHQ will ever support? Is this something you would include as a contribution? Or do you see other options to achieve the passing of the user identity to the Kafka brokers?

[tchiotludo]

Seems to be a really complicated task, AKHQ was built from the ground with singleton on all kafka resources, but for sure, PR are welcome on that, I only fear the complexity will be really high as first thought and can lead to a large complexity to maintain the project.
If you want to try, go with a draft and not a full implementation in order to evaluate the first version.