feat(connector): support Kafka SASL/OAUTHBEARER OIDC login (KIP-768)

[bpaquet]

I hereby agree to the terms of the RisingWave Labs, Inc. Contributor License Agreement.

What's changed and what's your intention?

This is a fork of #25491, rebased on current main.

Motivation

RisingWave cannot connect to Kafka clusters protected by OAuth 2.0 / OIDC authentication — a standard pattern in enterprise deployments (Keycloak, Auth0, Okta, Azure AD, Confluent Cloud with OIDC, etc.).

librdkafka has supported the full OIDC login flow since KIP-768: given sasl.oauthbearer.method=oidc plus client credentials and a token endpoint, it fetches and auto-refreshes tokens against the IdP without any application-level callback.

The only thing missing was on the RisingWave side:

1. KafkaConnectionProps did not expose any of the OIDC properties, so users had no way to pass them through WITH (...).
2. set_security_properties unconditionally enabled enable.sasl.oauthbearer.unsecure.jwt=true, which conflicts with method=oidc.
3. librdkafka was not built with curl support, which is required for the OIDC HTTP token flow.

What this PR does

This is a pure configuration passthrough — no custom token logic, no callbacks, no refresh threads. We just expose librdkafka's existing OIDC configuration properties and let it handle everything:

• Add 5 new properties to KafkaConnectionProps: sasl.oauthbearer.method, sasl.oauthbearer.client.id, sasl.oauthbearer.client.secret, sasl.oauthbearer.token.endpoint.url, sasl.oauthbearer.scope
• Only set enable.sasl.oauthbearer.unsecure.jwt=true when method is NOT oidc
• Enable the curl feature on rdkafka so librdkafka is built with HTTP client support (required for OIDC)
• Regenerate with_options_*.yaml files

Usage

CREATE SOURCE kafka_src WITH (
  connector = 'kafka',
  topic = 'events',
  'properties.bootstrap.server' = 'broker:9093',
  'properties.security.protocol' = 'SASL_SSL',
  'properties.sasl.mechanism' = 'OAUTHBEARER',
  'properties.sasl.oauthbearer.method' = 'oidc',
  'properties.sasl.oauthbearer.client.id' = 'risingwave-client',
  'properties.sasl.oauthbearer.client.secret' = '',
  'properties.sasl.oauthbearer.token.endpoint.url' = 'https://idp.example.com/oauth/token',
  'properties.sasl.oauthbearer.scope' = 'kafka'
) FORMAT PLAIN ENCODE JSON;

Token acquisition, caching, and refresh are fully delegated to librdkafka's built-in OIDC client.

Scope & safety

• Applies uniformly to sources, sinks, and standalone connections (they all share KafkaConnectionProps).
• The existing unsecured JWT path is preserved: the unsecure.jwt flag is still set unless the user explicitly opts into method=oidc.
• No change to the AWS MSK IAM code path.
• Tested locally against a real OIDC provider.

Checklist

• I have written necessary rustdoc comments.
• I have added necessary unit tests and integration tests.
• My PR contains breaking changes.

Documentation

• My PR needs documentation updates.

Release note

Kafka sources, sinks, and connections can now authenticate against OAuth 2.0 / OIDC providers using librdkafka's built-in OIDC login flow. Set properties.sasl.oauthbearer.method to oidc and provide properties.sasl.oauthbearer.client.id, properties.sasl.oauthbearer.client.secret, and properties.sasl.oauthbearer.token.endpoint.url. Tokens are fetched and refreshed automatically by librdkafka. properties.sasl.oauthbearer.scope is also available.