oidcauthextension

package module
v0.144.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 20, 2026 License: Apache-2.0 Imports: 22 Imported by: 9

README

Authenticator - OIDC

Status
Stability beta
Distributions contrib, k8s
Issues Open issues Closed issues
Code coverage codecov
Code Owners @asweet-confluent | Seeking more code owners!
Emeritus @jpkrohling

This extension implements a configauth.ServerAuthenticator, to be used in receivers inside the auth settings. The authenticator type has to be set to oidc.

Configuration

extensions:
  oidc:
    providers:
      - issuer_url: http://localhost:8080/auth/realms/opentelemetry
        issuer_ca_path: /etc/pki/tls/cert.pem
        audience: account
        username_claim: email

receivers:
  otlp:
    protocols:
      grpc:
        auth:
          authenticator: oidc

processors:

exporters:
  debug:
    verbosity: detailed

service:
  extensions: [oidc]
  pipelines:
    traces:
      receivers: [otlp]
      processors: []
      exporters: [debug]

Provider Matching

Although multiple OIDC providers can be configured, incoming tokens will only be verified against a single provider. This is done by decoding the token, extracting the iss claim, and checking the configured providers for one with a matching issuer_url field.

If no matching issuer_url is found, the extension will fail to authenticate with an error informing the caller that no OIDC provider configured for the issuer.

Configuration Structure Change

Earlier versions of this extension only allowed configuring a single provider:

extensions:
  oidc:
    issuer_url: http://localhost:8080/auth/realms/opentelemetry
    issuer_ca_path: /etc/pki/tls/cert.pem

Although this configuration is still accepted by the extension, it is deprecated and support for it will be dropped in the future.

Accessing JWT Claims

The OIDC extension allows you to access JWT claims in the processor context. This allows you to implement custom labeling based on received JWT token claims.

extensions:
  oidc:
    providers:
      - issuer_url: http://localhost:8080/auth/realms/opentelemetry
        audience: account

receivers:
  otlp:
    protocols:
      grpc:
        auth:
          authenticator: oidc

processors:
  resource:
    attributes:
      # Add predefined OIDC claims to the resource attributes
      - key: subject
        action: upsert
        from_context: auth.claims.subject

      # Adding dynamic claims from the JWT token
      - key: tenant_id
        action: upsert
        from_context: auth.claims.tenant_id

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewFactory 

func NewFactory() extension.Factory

NewFactory creates a factory for the OIDC Authenticator extension.

Types

type Config 

type Config struct {
	// The attribute (header name) to look for auth data. Optional, default value: "authorization".
	Attribute string `mapstructure:"attribute"`

	// Deprecated: use Providers instead.
	// IssuerURL is the base URL for the OIDC provider.
	// Required.
	IssuerURL string `mapstructure:"issuer_url"`

	// Deprecated: use Providers instead.
	// Audience of the token, used during the verification.
	// For example: "https://accounts.google.com" or "https://login.salesforce.com".
	// Required unless IgnoreAudience is true.
	Audience string `mapstructure:"audience"`

	// Deprecated: use Providers instead.
	// When true, this skips validating the audience field.
	// Optional.
	IgnoreAudience bool `mapstructure:"ignore_audience"`

	// Deprecated: use Providers instead.
	// The local path for the issuer CA's TLS server cert.
	// Optional.
	IssuerCAPath string `mapstructure:"issuer_ca_path"`

	// Deprecated: use Providers instead.
	// The claim to use as the username, in case the token's 'sub' isn't the suitable source.
	// Optional.
	UsernameClaim string `mapstructure:"username_claim"`

	// Deprecated: use Providers instead.
	// The claim that holds the subject's group membership information.
	// Optional.
	GroupsClaim string `mapstructure:"groups_claim"`

	// Providers allows configuring multiple OIDC providers.
	// Use the getProviderConfigs() method to get the full list of providers, including the legacy configuration.
	Providers []ProviderCfg `mapstructure:"providers"`
}

Config has the configuration for the OIDC Authenticator extension.

func (*Config) Validate added in v0.93.0 

func (cfg *Config) Validate() (errs error)

type ProviderCfg added in v0.131.0 

type ProviderCfg struct {
	// IssuerURL is the base URL for the OIDC provider.
	// Required.
	IssuerURL string `mapstructure:"issuer_url"`

	// Audience of the token, used during the verification.
	// For example: "https://accounts.google.com" or "https://login.salesforce.com".
	// Required unless IgnoreAudience is true.
	Audience string `mapstructure:"audience"`

	// When true, this skips validating the audience field.
	// Optional.
	IgnoreAudience bool `mapstructure:"ignore_audience"`

	// The local path for the issuer CA's TLS server cert.
	// Optional.
	IssuerCAPath string `mapstructure:"issuer_ca_path"`

	// The claim to use as the username, in case the token's 'sub' isn't the suitable source.
	// Optional.
	UsernameClaim string `mapstructure:"username_claim"`

	// The claim that holds the subject's group membership information.
	// Optional.
	GroupsClaim string `mapstructure:"groups_claim"`
}

func (*ProviderCfg) Validate added in v0.131.0 

func (p *ProviderCfg) Validate() error

Source Files

View all Source files

Directories

Path Synopsis
internal
metadata

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.