README
¶
Authenticator - OAuth2 Client Credentials
This extension provides OAuth2 Client Credentials flow authenticator for HTTP and gRPC based exporters. The extension fetches and refreshes the token after expiry automatically. For further details about OAuth2 Client Credentials flow (2-legged workflow) refer https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.
The authenticator type has to be set to oauth2client.
Configuration
extensions:
oauth2client:
client_id: someclientid
client_secret: someclientsecret
token_url: https://example.com/oauth2/default/v1/token
scopes: ["api.metrics"]
# tls settings for the token client
tls:
insecure: true
ca_file: /var/lib/mycert.pem
cert_file: certfile
key_file: keyfile
# timeout for the token client
timeout: 2s
receivers:
hostmetrics:
scrapers:
memory:
otlp:
protocols:
grpc:
exporters:
otlphttp/withauth:
endpoint: http://localhost:9000
auth:
authenticator: oauth2client
otlp/withauth:
endpoint: 0.0.0.0:5000
ca_file: /tmp/certs/ca.pem
auth:
authenticator: oauth2client
service:
extensions: [oauth2client]
pipelines:
metrics:
receivers: [hostmetrics]
processors: []
exporters: [otlphttp/withauth, otlp/withauth]
Following are the configuration fields
- token_url - The resource server's token endpoint URLs.
- client_id - The client identifier issued to the client.
- client_secret - The secret string associated with above identifier.
- scopes - Optional optional requested permissions associated for the client.
- timeout - Optional specifies the timeout on the underlying client to authorization server for fetching the tokens (initial and while refreshing). This is optional and not setting this configuration implies there is no timeout on the client.
For more information on client side TLS settings, see configtls README.
Documentation
¶
Overview ¶
Package oauth2clientcredentialsauthextension implements `configauth.ClientAuthenticator` This extension provides OAuth2 Client Credentials flow authenticator for HTTP and gRPC based exporters. The extension fetches and refreshes the token after expiry For further details about OAuth2 Client Credentials flow refer https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
Index ¶
- func NewFactory() component.ExtensionFactory
- type ClientCredentialsAuthenticator
- func (o *ClientCredentialsAuthenticator) PerRPCCredentials() (credentials.PerRPCCredentials, error)
- func (o *ClientCredentialsAuthenticator) RoundTripper(base http.RoundTripper) (http.RoundTripper, error)
- func (o *ClientCredentialsAuthenticator) Shutdown(_ context.Context) error
- func (o *ClientCredentialsAuthenticator) Start(_ context.Context, _ component.Host) error
- type Config
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewFactory ¶
func NewFactory() component.ExtensionFactory
NewFactory creates a factory for the OIDC Authenticator extension.
Types ¶
type ClientCredentialsAuthenticator ¶
type ClientCredentialsAuthenticator struct {
// contains filtered or unexported fields
}
ClientCredentialsAuthenticator provides implementation for providing client authentication using OAuth2 client credentials workflow for both gRPC and HTTP clients.
func (*ClientCredentialsAuthenticator) PerRPCCredentials ¶
func (o *ClientCredentialsAuthenticator) PerRPCCredentials() (credentials.PerRPCCredentials, error)
PerRPCCredentials returns gRPC PerRPCCredentials that supports "client-credential" OAuth flow. The underneath oauth2.clientcredentials.Config instance will manage tokens performing auto refresh as necessary.
func (*ClientCredentialsAuthenticator) RoundTripper ¶
func (o *ClientCredentialsAuthenticator) RoundTripper(base http.RoundTripper) (http.RoundTripper, error)
RoundTripper returns oauth2.Transport, an http.RoundTripper that performs "client-credential" OAuth flow and also auto refreshes OAuth tokens as needed.
type Config ¶
type Config struct {
config.ExtensionSettings `mapstructure:",squash"`
// ClientID is the application's ID.
// See https://datatracker.ietf.org/doc/html/rfc6749#section-2.2
ClientID string `mapstructure:"client_id"`
// ClientSecret is the application's secret.
// See https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
ClientSecret string `mapstructure:"client_secret"`
// TokenURL is the resource server's token endpoint
// URL. This is a constant specific to each server.
// See https://datatracker.ietf.org/doc/html/rfc6749#section-3.2
TokenURL string `mapstructure:"token_url"`
// Scope specifies optional requested permissions.
// See https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
Scopes []string `mapstructure:"scopes,omitempty"`
// TLSSetting struct exposes TLS client configuration for the underneath client to authorization server.
TLSSetting configtls.TLSClientSetting `mapstructure:"tls,omitempty"`
// Timeout parameter configures `http.Client.Timeout` for the underneath client to authorization
// server while fetching and refreshing tokens.
Timeout time.Duration `mapstructure:"timeout,omitempty"`
}
Config stores the configuration for OAuth2 Client Credentials (2-legged OAuth2 flow) setup.
Source Files