# Authentication

> For the complete documentation index, see [llms.txt](https://docs.redpanda.com/llms.txt). Component-specific: [streaming-full.txt](https://docs.redpanda.com/streaming-full.txt)

---
title: Authentication
latest-redpanda-tag: v24.3.9
latest-console-tag: v3.7.3
latest-operator-version: v26.1.4
# EOL = End-of-Life (support lifecycle status)
page-is-nearing-eol: "false"
page-is-past-eol: "true"
page-eol-date: December 3, 2025
latest-connect-version: 4.93.0
docname: config/security/authentication
page-component-name: streaming
page-version: "24.3"
page-component-version: "24.3"
page-component-title: Streaming
page-relative-src-path: config/security/authentication.adoc
page-edit-url: https://github.com/redpanda-data/docs/edit/v/24.3/modules/console/pages/config/security/authentication.adoc
description: Redpanda Console supports authentication using OAuth 2.0 or OIDC for external identity providers.
page-git-created-date: "2024-09-11"
page-git-modified-date: "2025-01-17"
support-status: past end-of-life
---

<!-- Source: https://docs.redpanda.com/streaming/24.3/console/config/security/authentication.md -->

> 📝 **NOTE**
>
> This feature requires an [enterprise license](https://docs.redpanda.com/streaming/24.3/get-started/licensing/overview/). To get a trial license key or extend your trial period, [generate a new trial license key](https://redpanda.com/try-enterprise). To purchase a license, contact [Redpanda Sales](https://redpanda.com/upgrade).
>
> If Redpanda Console has enterprise features enabled and it cannot find a valid license either in its [local configuration](https://docs.redpanda.com/streaming/24.3/console/config/enterprise-license/) or in the [connected Redpanda cluster](https://docs.redpanda.com/streaming/24.3/get-started/licensing/add-license-redpanda/), it redirects you to the license expiration landing page, and all other access is restricted.

Redpanda Console supports authentication using OAuth 2.0 or OIDC for external identity providers, such as:

-   [Microsoft Entra ID](https://docs.redpanda.com/streaming/24.3/console/config/security/azure-ad/)

-   [Google](https://docs.redpanda.com/streaming/24.3/console/config/security/google/)

-   [GitHub](https://docs.redpanda.com/streaming/24.3/console/config/security/github/)

-   [Keycloak](https://docs.redpanda.com/streaming/24.3/console/config/security/keycloak/)

-   [Okta](https://docs.redpanda.com/streaming/24.3/console/config/security/okta/)

-   [Generic OIDC](https://docs.redpanda.com/streaming/24.3/console/config/security/generic-oidc/)


You can use one or more login providers at the same time. To enable SSO authentication, you must create an OAuth application for your organization first. Refer to the respective documentation page for guidance to set up your desired identity provider in Redpanda Console. Afterwards, you can configure your identity provider in Redpanda Console by providing the clientId and clientSecret in the configuration block for your provider. The configuration to add Google login support looks like this:

```yaml
login:
  enabled: true

  # jwtSecret is the secret key you must use to sign and encrypt the JSON
  # web token used to store user sessions. This secret key is
  # critical for the security of Redpanda Console's authentication and
  # authorization system. Use a long, complex key with a combination of
  # numbers, letters, and special characters. While you must use a minimum of
  # 10 characters, Redpanda recommends using more than 32
  # characters. For additional security, use a different secret key for
  # each environment. jwtSecret can be securely generated with the following
  # command: LC_ALL=C tr -dc '[:alnum:]' < /dev/random | head -c32
  #
  # If you update this secret key, any users who are
  # already logged in to Redpanda Console will be logged out and will have
  # to log in again.
  jwtSecret: ""

  google:
    enabled: true
    clientId: redacted.apps.googleusercontent.com
    clientSecret: redacted # can be set with an environment variable
    # The directory config is optional. You have to configure it if you want to use
    # Google groups in your RBAC role bindings.
    # directory:
    #  serviceAccountFilepath: /etc/secrets/google-sa.json
    #  # targetPrincipal is the user that shall be impersonated
    #  # for the Google Admin API calls.
    #  targetPrincipal: admin@mycompany.com
```

By default, users don’t have any permissions in Redpanda Console, including permission to log in. After you set up authentication, continue with the authorization configuration by reading about [RBAC-based authorization](https://docs.redpanda.com/streaming/24.3/console/config/security/authorization/).

## Suggested labs

-   [Enable Unified Identity with Azure Entra ID for Redpanda and Redpanda Console](https://docs.redpanda.com/labs/docker-compose/oidc/)

[Search all labs](https://docs.redpanda.com/labs)