Saxo Bank is on a growth journey and Kafka is a critical component to that success. Securing our financial event streams is a top priority for us and initially we started with an on-prem Kafka cluster secured with (the de-facto) Kerberos. However, as we modernize and scale, the demands of hybrid cloud, multiple domains, polyglot computing and Data Mesh require us to also modernize our approach to security. In this talk, we will describe how we took the default (non-production ready) Kafka OAuth implementation and productionized it to work with Kafka in Azure Cloud, including the Kafka stack and clients. By enabling both Kerberos and OAuth running on-prem and in the cloud, we now plan to gracefully retire Kerberos from our estate.

1. Page 1
How We Eased Our Security Journey With OAuth (Goodbye
Kerberos)

2. Page 2
Paul Makkar – Head of Data in Motion, Saxo Bank
Rahul Gulati – Senior Data Platform Engineer, Saxo Bank

3. Page 3
Saxo Bank is a Global, Multi-Asset Facilitator
We unbundle the value chain
through
our open architecture
We source the best ideas, products,
liquidity and services from the best
providers
Capital markets products,
services and liquidity
Saxo Bank facilitation Distribution to clients
– The SaxoExperience
We run and develop one global, multi-asset, multi-tenanted
tech stack,
and one set of global business processes
We distribute capital market and
asset management products and
services
through our platforms tied together
by
the SaxoExperience
Trading platforms
FIX / Open API
CRM & CMS API
OMS / EMS
Broker connectivity
Hosting services
Clearing and settlement
Client account
structures
Margin & risk
management
Market data
connectivity
Custody
EOD files, FSSO & TENS
Regulatory reporting
Traders
Investors
Wholesale
SaxoTraderPRO
and
SaxoTradersGO
for self-directed
traders
SaxoInvestor for
self-directed and
delegating
investors
Outsourced capital
markets
infrastructure and
client facing front
ends
Processes
Open
/ FIX
API
Tech Stack
Execution and trading
Market data
Custody and back
office
Reporting
Business
management
Client management
Integration

4. Page 4
Saxo and Kafka
Building a Data Mesh
Kafka
self-service
Domain
Team
Domain
Team Domain
Team
Data In Motion
Security is key to our success
Education

5. Page 5
Authentication
vs Authorization

6. Page 6
Phase I

7. Page 7
Cluster Components and Security
On-prem Broker Zookeeper
Broker SASL(Kerberos) + TLS SASL(Kerberos)
Kafka Connect SASL(Kerberos) + TLS NA
Schema Registry SASL(Kerberos) + TLS NA
Control Center SASL(Kerberos) + TLS NA

8. Page 8
Challenges with Kerberos
Cross realm authentication is hard!
Authentication from the cloud using On Prem LDAP/AD not possible.
Very difficult to debug.

9. Page 9

10. Page 10
OAuth with Kafka
Looked possible, looked promising.
Complete production ready solution not available out of the box

11. Page 11
OAuth with Kafka – Why Not Production Ready?
Default implementation of OAuthbearer deals with Unsecured JWT tokens.
Generates arbitrary tokens. Only suitable for DEV/TEST environments.
No external Authorization server involved for granting tokens and authenticating clients.

12. Page 12
OAuth with
Azure Active
Directory (AAD)

13. Page 13
Introductio
n
OAuth is an authorization framework that enables
you or your application to get access to an HTTP
service either on behalf of resource owner or by
allowing your application to obtain access on its
own behalf.

14. Page 14
OAuth
Terminology

15. Page 15
OAuth Terminology
Grant Types
Client Credentials
An Access Token are the tokens used to access resources.
A Refresh Token represents your next authorization.
Grant Type or Flow specifies how you retrieve those tokens.

16. Page 16
Phase II

17. Page 17
Cluster Components and Security
Azure Cluster Broker Zookeeper
Broker SASL(OAuth) + TLS SASL(Digest)
Kafka Connect SASL(OAuth) + TLS NA
Schema Registry SASL(OAuth) + TLS NA
Control Center SASL(OAuth) + TLS NA

18. Page 18
OAuth Authentication Flow in Kafka
Azure AD
Kafka Broker
1. Request Token(client id
and secret)
2. Access Token
3. OAuth Access
Token
4. Authenticated
Brokers, Connect,
Schema Registry,
Control Center
Clients

19. Page 19
OAuth Detailed Implementation (Authentication)
Clients Brokers
Azure AD
Request
Token Validate
Access Token
SASL Authentication Request (Access Token)
SASL Authentication Response
Produce/Consume Request
Response

20. Page 20
Authentication with OAuth (JWT Token
Retrieval & Validation)

21. Page 21
JWT (JSON WEB TOKENS)
aaa.bbbbbbb.cccc
Header Payload Signature

22. Page 22
Azure AD App Registration
• Separate Apps for Brokers, Producers, Consumers, Connect, SR etc. across different
environments i.e., Dev, Test & Prod.
• Authentication based on client Id and Client secret of Apps.

23. Page 23
Retrieving Azure AD Token
{"token_type":"Bearer","expires_in":"3599","ext_
expires_in":"3599","expires_on":"1596455877","
not_before":"1596451977","resource":"0000000
2-0000-0000-c000-
000000000000","access_token":"eyJ0eXAiOiJK
V1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Imh1Tjk1SXZ
QZmVocTM0R3pCRFoxR1hHaXJuTSIsImtpZCI6I
mh1Tjk1SXZQZmVocTM0R3pCRFoxR1hHaXJuT
SJ9.eyJhdW…
Broker Logs
Access
Token

24. Page 24
Validating JWT (Brokers)
• Validate Token Length. Valid token to have 3 parts i.e. Header, Payload, Signature.
• Validate Token Signature:
• Decode Token header.
• Get token signing key.
• Verify if token is signed by Azure AD keys.
Decoded
Header

25. Page 25
Validating JWT (Brokers, contd )
• Validate token expiry & audience based on token claims i.e., exp & aud.
Decoded Payload
• Broker Logs

26. Page 26
Phase I, Phase II....
Phase III

27. Page 27
Producers Consumers
Broker 1
Broker 2
Kafka Cluster
Zookeeper 1
Zookeeper 2
Zookeeper
Cluster
Kerberos
Kerberos &
TLS
Connect
Schema
Registry
Control Center
Kerberos/TL
S
Producers Consumers
Broker 1
Broker 2
Zookeeper 1
Zookeeper 2
Zookeeper
Cluster
Connect Control Center
Schema
Registry
OAuth /TLS
OAuth & TLS
Digest
OAuth/TLS
Kerberos OAuth
Security Setup – Different Phases
OAuth
Azure AD

28. Page 28
Authorization

29. Page 29
OAuth Detailed Implementation (Authorization)
Zookeeper
Get ACL's
Authorizer
Load ACL's
Authorization
Allow/Deny

30. Page 30
Kafka ACL’s – Azure AD App Client IDs
Authorization Issues (Without granting Topic ACL’s).
Producer/Consumer ACL’s
Azure Client ID

31. Page 31
Enabling OAuth on Kafka
Brokers
Clients (Producer/Consumers)

32. Page 32
Brokers Configuration
Supporting Multiple Listeners on Brokers

33. Page 33
Easy to authenticate Producers/Consumers Apps' running anywhere i.e. On Prem/Cloud.
Cross domain authentication became possible (in fact, not even relevant).
Much easier to onboard new clients and authenticate AD Apps.
Debugging authentication issues became easier.
Have started the journey to deprecate Kerberos.
How Has The Journey Been So Far?