[v/25.3] manage: document rpk OAUTHBEARER (OIDC) for Kafka/Admin/SR APIs

[david-yu]

Backports the rpk OAUTHBEARER documentation to v/25.3. rpk OAUTHBEARER (redpanda-data/redpanda#30169) was backported to the v25.3.x release line, so it should be documented here.

A literal cherry-pick of #1762 wasn't possible — the foundational OAUTHBEARER content #1762 refines doesn't exist on this branch (authentication.adoc is ~490 lines behind main). This PR ports the self-contained OAUTHBEARER feature docs instead (the [scope chosen with the author]):

• rpk -X reference (rpk-x-options.adoc): OAUTHBEARER added to sasl.mechanism acceptable values + note (token via pass, leave user unset, applies to Kafka/Admin/SR clients), and user/pass cross-notes.
• authentication partial: adds the [[oidc-rpk]] "Connect to Redpanda with OIDC using rpk" section (with a Validate OIDC authentication step) to the existing OAUTHBEARER (OIDC) section; corrects three stale "rpk only supports basic auth for the Admin API" notes. The GBAC xref from main is omitted (gbac.adoc doesn't exist on this branch).
• netlify.toml: pins NODE_VERSION = "20" (matching .github/workflows/test-docs.yml) so the new Netlify image doesn't default to node 22 / npm 10.9.3 and fail npm install.

Verified: delimited blocks balanced, both anchors present, all xref targets resolve on this branch (#acls, sasl_mechanisms_overrides, oidc-credentials-flow…), no stale claims remain.

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for redpanda-docs-preview ready!

Name	Link
🔨 Latest commit	a113625
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-docs-preview/deploys/6a3c54afca18340008ae24aa
😎 Deploy Preview	https://deploy-preview-1766--redpanda-docs-preview.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 60f1fd81-4dd1-455e-9413-ddf2f21e983d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dyu/oidc-oauthbearer-v25.3

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[micheleRP]

Backport review — LGTM

Verified this v/25.3 port of the rpk OAUTHBEARER docs (the work #1762 refines). Since the foundational OIDC content didn't exist on this branch, porting the self-contained feature docs rather than cherry-picking is the right call, and the result is correct and version-appropriate:

• Both anchors present (`[[oidc-rpk]]`, `[[oidc-rpk-validate]]`); delimited blocks balanced.
• All xref targets resolve on `v/25.3`: `cluster-properties.adoc#sasl_mechanisms{,_overrides}`, `security/authorization/index.adoc#acls`, `rpk/rpk-profile/rpk-profile-create.adoc`, `rpk-x-options.adoc#oidc-rpk`, and `<>` (same section title as main, so the auto-ID matches). ✓
• Correctly drops the GBAC xref since `gbac.adoc` doesn't exist on this branch. ✓
• All three stale "rpk only supports basic authentication for the Admin API" claims corrected; no stale claims remain. ✓
• `netlify.toml` node-20 pin matches the justified CI fix from #1763.

Content mirrors the main-branch equivalents and reads cleanly against docs-team-standards.