add Schema registry OAuth config

[KyriosGN0]

add Configuration flags for schema registry oauth2
relates to kafbat/kafka-ui#1645 and kafbat/kafka-ui#1575

Summary by CodeRabbit

• Documentation
  • Added documentation for Kafka Schema Registry OAuth client‑credentials support alongside existing basic auth. Describes token endpoint URL, OAuth client ID and client secret, scopes, token caching (enabled by default), proactive token refresh buffer (default 60s), and max‑retry behavior for authentication failures (default 1). Includes guidance for enabling and tuning these options and notes that OAuth token endpoint cannot be combined with basic auth for the same cluster.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 81a28edb-1abf-44d2-9e36-3d8f5f1a1153

📥 Commits

Reviewing files that changed from the base of the PR and between 4eb5d22 and 4a5cbf7.

📒 Files selected for processing (1)

• configuration/misc-configuration-properties.md

🚧 Files skipped from review as they are similar to previous changes (1)

• configuration/misc-configuration-properties.md

---

📝 Walkthrough

Walkthrough

Added documentation for Kafka Schema Registry OAuth client‑credentials configuration: token endpoint (tokenUrl), clientId, clientSecret, scopes, tokenCacheEnabled, tokenRefreshBuffer, and maxRetries for 401 responses. Basic-auth fields (username, password) remain unchanged. The tokenUrl (OAuth token endpoint) cannot be combined with Basic auth for the same cluster.

Changes

Cohort / File(s)	Summary
SchemaRegistry OAuth configuration docs configuration/misc-configuration-properties.md, configuration/configuration-file.md	Introduced kafka.clusters[].schema-registry-auth.oauth with fields tokenUrl, clientId, clientSecret, scopes, tokenCacheEnabled (default true), tokenRefreshBuffer (default 60s), and maxRetries (default 1). Documented that tokenUrl cannot be used together with Basic auth (username/password) for the same cluster. Documentation-only additions; no public code entities changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hop through docs with nimble feet,
New OAuth fields make the config neat.
Tokens cached and refreshed on cue,
Client secrets tucked safe and true.
SchemaRegistry sings — auth made new! 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding Schema Registry OAuth configuration. It is concise, specific, and directly related to the primary purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@configuration/misc-configuration-properties.md`:
- Around line 37-43: Add OAuth-based Schema Registry options to the YAML docs by
extending the existing schemaRegistryAuth section to include an oauth block with
the keys tokenUrl, clientId, clientSecret, scopes, tokenCacheEnabled,
tokenRefreshBuffer and maxRetries; place this YAML example alongside the
existing username/password example in the schema-registry-auth/docs block (the
same area that currently documents basic auth) and ensure the property names and
defaults match the environment variables
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_* (tokenCacheEnabled default true,
tokenRefreshBuffer default 60s, maxRetries default 1) so users can see both
basic and oauth configuration formats.
- Around line 37-43: Remove the seven SchemaRegistry OAuth configuration entries
(KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_TOKENURL,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_CLIENTID,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_CLIENTSECRET,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_SCOPES,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_TOKENCACHEENABLED,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_TOKENREFRESHBUFFER,
KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_MAXRETRIES) from the
configuration/misc-configuration-properties.md documentation since kafka-ui only
supports Basic Authentication for SchemaRegistry; if you prefer to keep OAuth
documented, instead implement the corresponding support in the codebase and
update relevant functions/classes that parse cluster schema registry auth (e.g.,
the config parsing/validation that handles KAFKA_CLUSTERS_*_SCHEMAREGISTRYAUTH)
before re-adding the entries.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: eaa7c5f6-2b97-4b20-8f7d-e60ebf6d2882

📥 Commits

Reviewing files that changed from the base of the PR and between 4338d3f and 7da16d5.

📒 Files selected for processing (1)

• configuration/misc-configuration-properties.md

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

configuration/configuration-file.md (1)

40-48: State that Basic and OAuth examples are alternative auth modes

Lines 40-48 currently present Basic and OAuth settings together, which can be read as “configure both.” If these are alternatives, add a brief note to prevent misconfiguration.

Suggested doc adjustment

-        # Basic authentication
+        # Basic authentication (use this OR oauth below)
         username: schema registry username
         password: schema registry password
-        # OAuth client-credentials authentication
+        # OAuth client-credentials authentication (alternative to username/password)
         oauth:

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@configuration/configuration-file.md` around lines 40 - 48, Clarify that Basic
and OAuth examples are mutually exclusive by adding a short note near the
authentication examples: update the "Basic authentication" and "OAuth
client-credentials authentication" sections to state these are alternative auth
modes (choose one) and not to be configured together, and ensure the note
references the username/password fields and the
oauth.tokenUrl/clientId/clientSecret keys so readers know which blocks are
alternatives.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@configuration/configuration-file.md`:
- Line 51: Update the documentation for the maxRetries property to explicitly
state that retries are only triggered for 401 Unauthorized responses; edit the
line documenting maxRetries so it mirrors the behavior described in
misc-configuration-properties (i.e., "maxRetries: 1  # default: 1 — retries are
attempted only on 401 Unauthorized responses") and ensure the term maxRetries is
used exactly so readers can match it to the configuration property.

---

Nitpick comments:
In `@configuration/configuration-file.md`:
- Around line 40-48: Clarify that Basic and OAuth examples are mutually
exclusive by adding a short note near the authentication examples: update the
"Basic authentication" and "OAuth client-credentials authentication" sections to
state these are alternative auth modes (choose one) and not to be configured
together, and ensure the note references the username/password fields and the
oauth.tokenUrl/clientId/clientSecret keys so readers know which blocks are
alternatives.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 28bbef80-81fe-429b-9aca-aefa692ff34d

📥 Commits

Reviewing files that changed from the base of the PR and between 7da16d5 and a87f207.

📒 Files selected for processing (1)

• configuration/configuration-file.md

[Haarolean]

@KyriosGN0 can you take a look at the remaining comments?

[KyriosGN0]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[KyriosGN0]

@Haarolean fixed