There are a few properties available on the Http Sink Connector for configuring the request and use of an OAuth2 access token.
All this is great but isn’t quite enough to work with AAD and Azure Event Hubs. The missing piece is to identify a resource such that the proper claim can be added to to the OAuth2 access token. The error I get back from the Http Sink Connector is this:
kafka-connect | [2021-08-02 18:46:35,970] ERROR Error while processing HTTP request with Url : https://companyrelationships.servicebus.windows.net/companyrelationships/messages?api-version=2015-01, Status code : 401, Reason Phrase : SubCode=40104: Invalid authorization token audience, Response Content : , (io.confluent.connect.http.writer.HttpWriterImpl)
I was able to reproduce the same error in Postman and I was able to get a Postman request to work as well. The difference is that in Postman (and according to MS documentation) I needed to add a ‘Resource’ key with a value of ‘https://.servicebus.windows.net’. By doing this, AAD knows to add the proper role (Azure Event Hubs Data Sender) to the access token and therefore generates a proper token that can be used to send event data to the Azure Event Hub.
The problem with the Http Sink Connector is that there is no property, such as oauth2.resource, to specify the Resource.
The question is, can this property be added to the Confluent Http Sink Connector so that this use case can be supported?