feat: Add OAuth2 client credentials support for Kafka SASL

[engkeong]

Description

Implements OAuth2 client credentials support for Kafka SASL authentication with dynamic token renewal.

Changes

• OAuth2 Integration: Added OAuth2 client credentials configuration for OAUTHBEARER mechanism
• Dynamic Token Renewal: Automatic token management without manual updates
• Provider Compatibility: Supports Microsoft Entra, Okta, Auth0, and Keycloak
• Configurable Scopes: Optional scopes and endpoint parameters for flexibility
• Test Coverage: Comprehensive OAuth2 flow testing

How it works

The new \oauth2\ configuration allows specifying OAuth2 client credentials. When enabled, the Kafka client will automatically request and refresh tokens from the configured token endpoint, handling token expiration seamlessly.

Configuration Example

\\yaml
sasl:

• mechanism: OAUTHBEARER
  oauth2:
  enabled: true
  client_key: your-client-id
  client_secret: your-client-secret
  token_url: https://your-provider.com/oauth2/token
  scopes:
  - your-scope
  \\

Benefits

• Improved Reliability: Automatic token refresh prevents authentication failures
• Reduced Overhead: No manual token management required
• Enterprise Ready: Works with major OAuth2 providers
• Flexibility: Supports additional endpoint parameters (e.g., audience)

Testing

OAuth2 client credentials flow has been tested with proper token handling and scope configuration.

[CLAassistant]

All committers have signed the CLA.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

EK (Eng Keong) Lim seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}