Added support for SASL mechanism OAuthBearer

[LuxTheDude]

This PR introduces support for the SASL mechanism OAuthBearer.

It introduces a single new configuration variable "sasl.oauthbearer-token-url" which is required argument for using OAuthBearer.
It also updates the Helm Chart to include this variable in its values.

I have tested it on a Kafka instance that used Keycloak as the token provider, and it worked as intended.

I hope this small addition can be reviewed and merged rather quickly as I urgently need it.

It solves #422

[LuxTheDude]

@danielqsj

Anything more i can do, to get this merged?

[marinafrank]

Hi dear Lux,
thanks for the PR, I am also interested in oauth support. Tried to test with these parameters:

        - --kafka.server=myserver:9092
        - --tls.enabled
        - --tls.ca-file=/etc/ssl/certs/Root-CA.pem
        - --tls.cert-file=/etc/ssl/certs/tls.crt
        - --tls.key-file=/etc/ssl/certs/tls.key
        - --sasl.enabled
        - --sasl.username=<clientID>
        - --sasl.password=<clientSecret>
        - --sasl.mechanism=oauthbearer
        - --sasl.oauthbearer-token-url=https://<ssoserver.domain>/v1/token

get error:

I1030 12:24:02.204004       1 kafka_exporter.go:910] Starting kafka_exporter (version=1.9.0, branch=master, revision=b4f429fff7810552ffc1292daaf77fe9496c95e3)
I1030 12:24:02.204088       1 kafka_exporter.go:911] Build context (go=go1.24.0, platform=linux/amd64, user=me@localhost, date=20251030-10:04:53, tags=netgo)
F1030 12:24:03.964898       1 kafka_exporter.go:1011] Error Init Kafka Client: kafka: client has run out of available brokers to talk to: oauth2: "invalid_scope" "missing required scopes, [openid]"

How to specify oauth scopes and other settings?
e.g. on java client these are used:

scope="openid audience:server:client_id:<clientID>" 
extension_logicalCluster="<value>"
extension_identityPoolId="<somevalue>"

[LuxTheDude]

Hi Marinafrank.

The PR i have made does not support these parameters. It could be argued that "scope" parameter should be supported, since it is a normal OAuth parameter, supported by the go package out of the box. However the extensions, which seems to be some custom claims, are not supported out of the box, and are out of scope for this PR i believe.

@danielqsj Would be awesome if you could weigh in here, and let me know if this is something we can get merged. I am happy to do any updates and alterations needed.

[CR6767]

I am hoping to use this feature when merged.

[LuxTheDude]

I have sent @danielqsj an email, but have received no response. He is most likely too busy, so i think anyone needing this urgently should look for other solutions. In the meantime i hope this will still get approved once danielqsj has more time.

[danielqsj]

1. currenttime and ctx only be used once, so I suggest that no need to define them before
2. is it need to use _err here? Can we just use err ?

[LuxTheDude]

Both points are correct. I am new to GO and had some false assumptions.

I have updated the code.

[danielqsj]

@LuxTheDude thanks, some comments left

[LuxTheDude]

@LuxTheDude thanks, some comments left

@danielqsj
Thank you so much for taking time to review this PR. I have made updates based on your comments.