Add sasl_oauth_token_provider_class for native OAUTHBEARER support

[dylanbstorey]

Summary

• Adds sasl_oauth_token_provider_class config option that accepts a Python import path (via pydantic ImportString) to a class implementing the TokenWithExpiryProvider protocol
• When configured, an instance is created and passed as sasl_oauth_token_provider to all Kafka client factories — admin, consumer, and producer — including the schema reader's internal clients
• Enables native OAUTHBEARER auth (e.g. AWS MSK IAM) without monkey-patching

Problem

kafka_utils.py and schema_reader.py create Kafka clients but never pass sasl_oauth_token_provider, even though _KafkaConfigMixin already supports it via KafkaClientParams → oauth_cb. Anyone deploying Karapace against AWS MSK with IAM auth must monkey-patch the client factories or build a custom wrapper.

Solution

New config option configurable via env var:

KARAPACE_SECURITY_PROTOCOL=SASL_SSL
KARAPACE_SASL_MECHANISM=OAUTHBEARER
KARAPACE_SASL_OAUTH_TOKEN_PROVIDER_CLASS=examples.msk_iam_token_provider:MSKIAMTokenProvider

The referenced class must implement:

def token_with_expiry(self, config: str | None) -> tuple[str, int | None]

Changes

• src/karapace/core/config.py: Add sasl_oauth_token_provider_class: ImportString | None field
• src/karapace/core/kafka_utils.py: Instantiate provider and pass to all 3 factory functions
• src/karapace/core/schema_reader.py: Same for the 2 internal factory functions
• examples/msk_iam_token_provider.py: Example AWS MSK IAM token provider using aws-msk-iam-sasl-signer-python
• tests/unit/test_oauth_token_provider.py: 14 unit tests covering config, all 5 factories (with/without provider)

Test plan

• 14 unit tests pass locally (tests/unit/test_oauth_token_provider.py)
• Existing tests unaffected (no behavior change when option is unset)

[muralibasani]

@dylanbstorey can you pls rebase?

[dylanbstorey]

done

[muralibasani]

@dylanbstorey there seems to be some lint errors

[dylanbstorey]

done

[dylanbstorey]

Hey — just a note on the 3.14 test failure: we've seen two different tests fail across two CI runs (test_coordinator_workflow and test_schema_registry_oidc), both only on 3.14. Tests on 3.12 and 3.13 have been passing cleanly.

Our changes only add a new config field (sasl_oauth_token_provider_class) that defaults to None and is only activated when explicitly set, so they shouldn't affect any existing code paths. Given the different failures each run and that they're both e2e/timing-sensitive tests, we suspect these may be flaky on 3.14 rather than related to our changes.

They’re also passing locally from the makefile tests-in-docker pattern you provide.

Happy to re-trigger CI or investigate further if needed!

[dylanbstorey]

@muralibasani
Ok got the OIDC test passing by putting a health check in to wait for the registry to be available. Let’s see if that did it.

[dylanbstorey]

Rebased on main (includes merged #1225). All tests passing locally:

• Unit tests: 631 passed
• E2E tests: 61 passed (fixed the flaky OIDC test — was a primary election race condition)
• Mypy: no issues found in 137 source files
• test_registering_normalized_schema: passed locally. I can’t reproduce the failure after a few tries.

[dylanbstorey]

@muralibasani , added some more retries and polling helpers to help with flakiness.

[dylanbstorey]

@muralibasani - looks like the recent merges to master have stabilized the tests and this is passing now. ready for a review for real this time.

Thanks !

[muralibasani]

can we check for token_with_expiry ?

[muralibasani]

@dylanbstorey thanks for the pr. Have a few comments left.

[dylanbstorey]

@muralibasani , updated