add Schema registry OAuth config

configuration/configuration-file.md

@@ -37,8 +37,18 @@ kafka:
       schemaRegistryShowNullValues: true  # Show null fields in Avro messages (default: false)
       schemaRegistryUseFullyQualifiedNames: true  # Use full type names in unions (default: false)
       schema-registry-auth:
+        # Basic authentication
         username: schema registry username
         password: schema registry password
+        # OAuth client-credentials authentication
+        oauth:
+          tokenUrl: https://auth.example.com/oauth/token
+          clientId: your-client-id
+          clientSecret: your-client-secret
+          scopes: schema-registry:read,schema-registry:write
+          tokenCacheEnabled: true   # default: true
+          tokenRefreshBuffer: 60s   # default: 60s
+          maxRetries: 1             # default: 1 (retries on 401 Unauthorized)
       schema-registry-ssl:
         keystore-location: path/to/keystore/file.jks
         keystore-password: password

configuration/misc-configuration-properties.md

@@ -34,6 +34,13 @@ kafka:
 | `KAFKA_CLUSTERS_0_SCHEMAREGISTRY`                     | SchemaRegistry's address                                                                                                                                         |
 | `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_USERNAME`        | SchemaRegistry's basic authentication username                                                                                                                   |
 | `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_PASSWORD`        | SchemaRegistry's basic authentication password                                                                                                                   |
+| `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_TOKENURL`       | Token URL for SchemaRegistry's OAuth client-credentials authentication. Cannot be combined with Basic auth on the same cluster.                             |
+| `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_CLIENTID`       | Client ID for SchemaRegistry's OAuth authentication                                                                                                         |
+| `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_CLIENTSECRET`   | Client secret for SchemaRegistry's OAuth authentication                                                                                                     |
+| `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_SCOPES`         | Comma-separated list of OAuth scopes to request for SchemaRegistry authentication                                                                           |
+| `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_TOKENCACHEENABLED` | Enable caching of OAuth tokens for SchemaRegistry. Default: `true`                                                                                       |
+| `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_TOKENREFRESHBUFFER` | Duration before token expiry to proactively refresh the token (e.g. `60s`, `360s`). Default: `60s`                                                    |
+| `KAFKA_CLUSTERS_0_SCHEMAREGISTRYAUTH_OAUTH_MAXRETRIES`     | Max number of retries on 401 Unauthorized responses from SchemaRegistry. Default: `1`                                                                       |
 | `KAFKA_CLUSTERS_0_SCHEMAREGISTRYSSL_KEYSTORELOCATION` | Path to the JKS keystore to communicate to SchemaRegistry                                                                                                        |
 | `KAFKA_CLUSTERS_0_SCHEMAREGISTRYSSL_KEYSTOREPASSWORD` | Password of the JKS keystore for SchemaRegistry                                                                                                                  |
 | `KAFKA_CLUSTERS_0_SCHEMAREGISTRYSHOWNULLVALUES`       | Show null fields in Avro messages instead of omitting them. Default: false                                                                                       |