oauth2clientauthextension

README

OAuth2 Client Credentials Authenticator Extension

Status
Stability	beta
Distributions	contrib, k8s
Issues
Code coverage
Code Owners	@pavankrish123 | Seeking more code owners!
Emeritus	@jpkrohling

This extension provides OAuth2 Client Credentials flow authenticator for HTTP and gRPC based exporters. The extension fetches and refreshes the token after expiry automatically. For further details about OAuth2 Client Credentials flow (2-legged workflow) refer https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.

The authenticator type has to be set to oauth2client.

Configuration

extensions:
  oauth2client:
    client_id: someclientid
    client_secret: someclientsecret
    endpoint_params:
      audience: someaudience
    token_url: https://example.com/oauth2/default/v1/token
    scopes: ["api.metrics"]
    # tls settings for the token client
    tls:
      insecure: true
      ca_file: /var/lib/mycert.pem
      cert_file: certfile
      key_file: keyfile
    # timeout for the token client
    timeout: 2s
    # buffer time before token expiry to refresh
    expiry_buffer: 10s

  oauth2client/jwt-bearer-grant-type:
    client_id: someclientid
    client_certificate_key: secret_key
    grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
    token_url: https://example.com/oauth2/default/v1/token
    signature_algorithm: RS512
    endpoint_params:
      audience: someaudience
    scopes: ["api.metrics"]
    timeout: 1s
    
receivers:
  hostmetrics:
    scrapers:
      memory:
  otlp:
    protocols:
      grpc:

exporters:
  otlp_http/withauth:
    endpoint: http://localhost:9000
    auth:
      authenticator: oauth2client
      
  otlp/withauth:
    endpoint: 0.0.0.0:5000
    tls:
      ca_file: /tmp/certs/ca.pem
    auth:
      authenticator: oauth2client
      
  otlp/withjwtauth:
    endpoint: 0.0.0.0:5000
    tls:
      ca_file: /tmp/certs/ca.pem
    auth:
      authenticator: oauth2client/jwt-bearer-grant-type

service:
  extensions: [oauth2client,oauth2client/jwt-bearer-grant-type]
  pipelines:
    metrics:
      receivers: [hostmetrics]
      processors: []
      exporters: [otlp_http/withauth, otlp/withauth, otlp/withjwtauth]

Following are the configuration fields

• token_url - The resource server's token endpoint URLs.
• client_id - The client identifier issued to the client.
• grant_type - Optional OAuth2 grant type to use. It can be one of "client_credentials" or "urn:ietf:params:oauth:grant-type:jwt-bearer" and defaults to "client_credentials"
• client_id_file - The file path to retrieve the client identifier issued to the client. The extension reads this file and updates the client ID used whenever it needs to issue a new token. This enables dynamically changing the client credentials by modifying the file contents when, for example, they need to rotate.
  This setting takes precedence over client_id.
• client_secret - The secret string associated with above identifier. This is required when grant_type is "client_credentials"
• client_secret_file - The file path to retrieve the secret string associated with above identifier. The extension reads this file and updates the client secret used whenever it needs to issue a new token. This enables dynamically changing the client credentials by modifying the file contents when, for example, they need to rotate.
  This setting takes precedence over client_secret.
• client_certificate_key - The private key used to sign the jwt assertion used for RFC7523. This is required when grant_type is "urn:ietf:params:oauth:grant-type:jwt-bearer"
• client_certificate_key_file - The file path to retrieve the secret string associated with above identifier. The extension reads this file and updates the client key used whenever it needs to issue a new token. This enables dynamically changing the credentials by modifying the file contents when, for example, they need to rotate.
  This setting takes precedence over client_certificate_key.
• client_certificate_key_id - Optional kid used to sign the jwt assertion used for RFC7523.
• signature_algorithm - Optional RSA algorithm used to sign jwt assertion used for RFC7523 and defaults to "RS256".
• iss - Optional client identifier used added to jwt assertion used for RFC7523 and defaults to "client_id".
• audience: - Optional intended audience of the jwt assertion used for RFC7523 and defaults to "token_url".
• claims: - Optional extra claims to be added to jwt assertion used for RFC7523.
• endpoint_params - Additional parameters that are sent to the token endpoint.
• scopes - Optional optional requested permissions associated for the client.
• timeout - Optional specifies the timeout on the underlying client to authorization server for fetching the tokens (initial and while refreshing). This is optional and not setting this configuration implies there is no timeout on the client.
• expiry_buffer - Optional Specifies the time buffer to refresh the access token before it expires, preventing authentication failures due to token expiration. The default value is 5m.

For more information on client side TLS settings, see configtls README.

Documentation

Overview

Package oauth2clientauthextension implements `cauth.Client` This extension provides OAuth2 Client Credentials flow authenticator for HTTP and gRPC based exporters. The extension fetches and refreshes the token after expiry For further details about OAuth2 Client Credentials flow refer https://datatracker.ietf.org/doc/html/rfc6749#section-4.4

Index

• func NewFactory() extension.Factory
• type Config
  • func (cfg *Config) Validate() error
• type TokenSourceConfiguration

Functions

func NewFactory

func NewFactory() extension.Factory

NewFactory creates a factory for the oauth2 client Authenticator extension.

Types

type Config

type Config struct {
	// ClientID is the application's ID.
	// See https://datatracker.ietf.org/doc/html/rfc6749#section-2.2
	ClientID string `mapstructure:"client_id"`

	// ClientIDFile is the file path to read the application's ID from.
	ClientIDFile string `mapstructure:"client_id_file"`

	// ClientSecret is the application's secret.
	// See https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
	ClientSecret configopaque.String `mapstructure:"client_secret"`

	// ClientSecretFile is the file pathg to read the application's secret from.
	ClientSecretFile string `mapstructure:"client_secret_file"`

	// ClientCertificateKeyID is the Key ID to include in the jwt. Only used if
	// GrantType is set to "urn:ietf:params:oauth:grant-type:jwt-bearer".
	ClientCertificateKeyID string `mapstructure:"client_certificate_key_id"`

	// ClientCertificateKey is the application's private key. Only used if
	// GrantType is set to "urn:ietf:params:oauth:grant-type:jwt-bearer".
	ClientCertificateKey configopaque.String `mapstructure:"client_certificate_key"`

	// ClientSecrClientCertificateKeyFileetFile is the file pathg to read the application's secret from. Only used if
	// GrantType is set to "urn:ietf:params:oauth:grant-type:jwt-bearer".
	ClientCertificateKeyFile string `mapstructure:"client_certificate_key_file"`

	// GrantType is the OAuth2 grant type to use. It can be one of
	// "client_credentials" or "urn:ietf:params:oauth:grant-type:jwt-bearer" (RFC 7523).
	// Default value is "client_credentials"
	GrantType string `mapstructure:"grant_type"`

	// SignatureAlgorithm is the RSA algorithm used to sign JWT token. Only used if
	// GrantType is set to "urn:ietf:params:oauth:grant-type:jwt-bearer".
	// Default value is RS256 and valid values RS256, RS384, RS512
	SignatureAlgorithm string `mapstructure:"signature_algorithm,omitempty"`

	// Iss is the OAuth client identifier used when communicating with
	// the configured OAuth provider. Default value is client_id. Only used if
	// GrantType is set to "urn:ietf:params:oauth:grant-type:jwt-bearer".
	Iss string `mapstructure:"iss,omitempty"`

	// Audience optionally specifies the intended audience of the
	// request.  If empty, the value of TokenURL is used as the
	// intended audience. Only used if
	// GrantType is set to "urn:ietf:params:oauth:grant-type:jwt-bearer".
	Audience string `mapstructure:"audience,omitempty"`

	// Claims is a map of claims to be added to the JWT token. Only used if
	// GrantType is set to "urn:ietf:params:oauth:grant-type:jwt-bearer".
	Claims map[string]any `mapstructure:"claims,omitempty"`

	// EndpointParams specifies additional parameters for requests to the token endpoint.
	EndpointParams url.Values `mapstructure:"endpoint_params"`

	// TokenURL is the resource server's token endpoint
	// URL. This is a constant specific to each server.
	// See https://datatracker.ietf.org/doc/html/rfc6749#section-3.2
	TokenURL string `mapstructure:"token_url"`

	// Scope specifies optional requested permissions.
	// See https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
	Scopes []string `mapstructure:"scopes,omitempty"`

	// TLS struct exposes TLS client configuration for the underneath client to authorization server.
	TLS configtls.ClientConfig `mapstructure:"tls,omitempty"`

	// Timeout parameter configures `http.Client.Timeout` for the underneath client to authorization
	// server while fetching and refreshing tokens.
	Timeout time.Duration `mapstructure:"timeout,omitempty"`

	// ExpiryBuffer specifies the time buffer before token expiry to refresh it.
	ExpiryBuffer time.Duration `mapstructure:"expiry_buffer,omitempty"`
}

Config stores the configuration for OAuth2 Client Credentials (2-legged OAuth2 flow) setup.

func (*Config) Validate

func (cfg *Config) Validate() error

Validate checks if the extension configuration is valid

type TokenSourceConfiguration

type TokenSourceConfiguration interface {
	TokenSource(context.Context) oauth2.TokenSource
	TokenEndpoint() string
}