redpanda-data · david-yu · Apr 21, 2026 · Apr 17, 2026 · Apr 17, 2026
@@ -177,7 +177,7 @@ type DebugPartition struct {
 // debug bundle process.
 // See rpk debug bundle --help
 type debugBundleStartConfigParameters struct {
-	// one of DebugBundleSCRAMAuthentication or DebugBundleOIDCAuthentication
+	// one of debugBundleSCRAMAuthentication or debugBundleOAuthBearerAuthentication
 	Authentication               any                        `json:"authentication,omitempty"`
 	ControllerLogsSizeLimitBytes int32                      `json:"controller_logs_size_limit_bytes,omitempty"`
 	LogsSizeLimitBytes           int32                      `json:"logs_size_limit_bytes,omitempty"`
@@ -206,6 +206,14 @@ type debugBundleSCRAMAuthentication struct {
 	Password  string `json:"password,omitempty"` //nolint:gosec // G117: field holds SCRAM credentials for debug bundle API
 }
 
+// debugBundleOAuthBearerAuthentication are the OAUTHBEARER authentication
+// parameters. The token is the raw OIDC bearer token that the broker-side rpk
+// subprocess will present to Kafka.
+type debugBundleOAuthBearerAuthentication struct {
+	Mechanism string `json:"mechanism,omitempty"`
+	Token     string `json:"token,omitempty"`
+}
+
 type debugBundleStartConfig struct {
 	JobID  string                           `json:"job_id,omitempty"`
 	Config debugBundleStartConfigParameters `json:"config,omitempty"`
@@ -231,6 +239,17 @@ func WithSCRAMAuthentication(username, password, mechanism string) DebugBundleOp
 	}}
 }
 
+// WithOAuthBearerAuthentication sets OAUTHBEARER authentication using the
+// given OIDC bearer token.
+func WithOAuthBearerAuthentication(token string) DebugBundleOption {
+	return debugBundleOpt{func(param *debugBundleStartConfigParameters) {
+		param.Authentication = debugBundleOAuthBearerAuthentication{
+			Mechanism: OAuthBearer,
+			Token:     token,
+		}
+	}}
+}
+
 // WithControllerLogsSizeLimitBytes sets the controller-logs-size-limit parameter.
 func WithControllerLogsSizeLimitBytes(v int32) DebugBundleOption {
 	return debugBundleOpt{func(param *debugBundleStartConfigParameters) {

@@ -76,4 +76,22 @@ func TestDebugBundleOption(t *testing.T) {
 		pj, _ := json.Marshal(params)
 		assert.Equal(t, `{"authentication":{"mechanism":"SCRAM-SHA-256","username":"user1","password":"pass1"}}`, string(pj))
 	})
+
+	t.Run("oauthbearer auth", func(t *testing.T) {
+		opts := []DebugBundleOption{
+			WithOAuthBearerAuthentication("my-jwt-token"),
+		}
+		params := &debugBundleStartConfigParameters{}
+		for _, o := range opts {
+			o.apply(params)
+		}
+
+		authBearer, ok := params.Authentication.(debugBundleOAuthBearerAuthentication)
+		assert.True(t, ok)
+		assert.Equal(t, OAuthBearer, authBearer.Mechanism)
+		assert.Equal(t, "my-jwt-token", authBearer.Token)
+
+		pj, _ := json.Marshal(params)
+		assert.Equal(t, `{"authentication":{"mechanism":"OAUTHBEARER","token":"my-jwt-token"}}`, string(pj))
+	})
 }
@@ -32,6 +32,8 @@ const (
 	ScramSha512 = "SCRAM-SHA-512"
 	// CloudOIDC is the constant for CLOUD-OIDC.
 	CloudOIDC = "CLOUD-OIDC"
+	// OAuthBearer is the constant for OAUTHBEARER.
+	OAuthBearer = "OAUTHBEARER"
 )
 
 // CreateUser creates a user with the given username and password using the