Add support for different claims for authentication

[pranav shah (prashah-confluent)]

PR description

Problem

For OIDC / SASL_OAUTHBEARER flows using librdkafka’s built‑in OIDC helper, we currently hard‑require that the JWT payload contain a sub claim. If the IdP omits sub or uses another claim (for example client_id) as the primary subject, librdkafka fails token acquisition with an error such as:

Failed to acquire SASL OAUTHBEARER token: Expected JSON JWT response with "sub" field

Fix

We have introduced a new config sub_claim_name using which customers can provide a different claim. The claim value will be honored and used for client side validation.

Note
Requires users to keep broker and client configs aligned for the subject claim name to avoid confusion and consistency.

Testing

Unit tests

To test the core JWT payload parsing and claim extraction logic inside rd_kafka_oidc_token_try_validate() in isolation (no broker, network, oidc server).

1. Default Configuration & Backward Compatibility
   Implicit Default Behavior: Validate that when sub.claim.name is not provided, the system defaults to extracting the subject from the "sub" claim.
   Legacy Parity: Ensure that existing JWTs containing only the "sub" claim continue to be processed correctly, maintaining no regressions for standard OIDC flows.

2. Explicit Claim Configuration (KIP-768 Parity)
   Custom Claim Extraction: Verify that setting sub.claim.name (e.g., to client_id) successfully extracts the value from the specified field instead of the hardcoded "sub" key.
   Configuration Precedence: Test that when both "sub" and a custom claim (e.g., "client_id") coexist in a JWT, the system honors the user-defined configuration over the OIDC default.

3. Error Handling & Validation Logic
   Missing Claim Detection: Verify that providing a sub.claim.name that does not exist in the JWT triggers a specific "Claim not found" error, rather than failing on a hardcoded "sub".
   Empty Value Rejection: Ensure the system rejects empty string subjects with a "non-empty value required" error, addressing previous bugs where empty strings passed silently.
   Invalid Configuration Recovery: Validate that if sub.claim.name is set to an empty string, the system gracefully falls back to the OIDC default ("sub") to ensure continuous operation.

4. librdkafka & Java Client Alignment
   Functional Parity: Ensure all scenarios are cross-validated against the Java KIP-768 implementation to guarantee identical extraction logic and exception triggers (e.g., ValidateException equivalents).

Integration tests

• To validate end-to-end OIDC authentication against a real Kafka cluster (via trivup) with different sasl.oauthbearer.sub.claim.name configurations
• The trivup setup requires changes for returning JWT response with multiple claims

Design Doc

[confluent-cla-assistant]

🎉 All Contributor License Agreements have been signed. Ready to merge.
_{Please push an empty commit if you would like to re-run the checks to verify CLA status for all contributors.}

[Emanuele Sabellico (emasab)]

Thanks Pranav! This is my feedback:

[Emanuele Sabellico (emasab)]

Suggested change

	"sasl.oauthbearer.sub.claim.name configuration for consistent "
	"`sasl.oauthbearer.sub.claim.name` configuration for consistent "

[Emanuele Sabellico (emasab)]

rebuild CONFIGURATION.md as well.

[pranav shah (prashah-confluent)]

Changed to "sasl.oauthbearer.sub.claim.name" and rebuilt CONFIGURATION.md

[Emanuele Sabellico (emasab)]

it shoud be a rd_dassert here, not reverting to the default. The configuration should be validated in rd_kafka_conf_finalize_oauthbearer_oidc and using rd_kafka_conf_is_modified on the field and then check for NULL or a an empty string or whitespace string ("\s+") you can write a function like the Java method ClaimValidationUtils.validateString.

[pranav shah (prashah-confluent)]

Added rd_dassert and as suggested added helper api which validates string only if config is modified.

[Emanuele Sabellico (emasab)]

This function should be agnostic to the failure cause (at the moment it's only this one but in future there can be other test cases).

Suggested change

	/* These variations should fail due to missing claim */
	/* These variations should fail */

[pranav shah (prashah-confluent)]

Modified the comment to make the function failure agnostic

[Emanuele Sabellico (emasab)]

Suggested change

	* [KIP-768](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575#KIP768:ExtendSASL/OAUTHBEARERwithSupportforOIDC-ClientConfiguration) Extend SASL/OAUTHBEARER to support OIDC claim mapping beyond the default `sub` claim [(#5336)](https://github.com/confluentinc/librdkafka/pull/5336)
	* [KIP-768](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575#KIP768:ExtendSASL/OAUTHBEARERwithSupportforOIDC-ClientConfiguration) Extend SASL/OAUTHBEARER to support OIDC claim mapping beyond the default `sub` claim (#5336).

The link is already added by GH in the release page, so we don't put the link here.

[pranav shah (prashah-confluent)]

Removed the link

[Emanuele Sabellico (emasab)]

We can remove these two cases after putting an assert there as it must not reach this function if those preconditions aren't satisfied.

Suggested change

	{"NULL sub_claim_name defaults to 'sub'", UT_JWT_SUB_ONLY, NULL,
	rd_true, "subject"},
	{"Empty sub_claim_name defaults to 'sub'", UT_JWT_SUB_ONLY, "",
	rd_true, "subject"},

[pranav shah (prashah-confluent)]

Removed the test cases since they can't be valid at this point.

[Emanuele Sabellico (emasab)]

This one should fail as well. Similarly to the Java client, in case it's set it should be valid otherwise the user could want to set something but there was a bug in their code so an empty string was received instead.

[pranav shah (prashah-confluent)]

This should pass due to librdkafka convention which sets the config to default values if empty/NULL string is provided.