Authentication and Authorization flows on Gateway

[twobeeb]

No description provided.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
conduktor-docs	✅ Ready (Inspect)	Visit Preview	Apr 9, 2025 9:40am

[chuck-alt-delete]

Would love for this to be the opportunity to standardize on vocabulary:

• “layered security” for gateway security
• “delegated security” for delegated

Also I feel we are missing some opinions about when to choose which.

For me, layered makes sense if you are using Exchange, server side filtering, topic concentration (“unlimited topics”), or you want to reduce vendor lock-in with the Kafka provider (looking at you, MSK IAM!). But the cost is a migration of the clients. They need new identities, credentials, and permissions. This is pretty easy in some circumstances (just migrate the ACLs and use the same OAuth credentials), but trickier in others (eg translating permissions from Confluent RBAC to ACLs).

Conversely delegated is the easiest to migrate clients. Only change required for the client is a new bootstrap server. This can be a hard requirement if the customer wants minimal disruption.

[chuck-alt-delete]

We have some simple diagrams here that I’ve found helpful as well and might be good to include:

https://docs.google.com/presentation/d/11q9CQLufH4HO5i2uph55UdrxhC6ECRON7ZCUR_QR0wE/edit