-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New component: jwtauthextension #30322
Comments
Can you expand on that? The OIDC authenticator does validate JWT tokens. |
I'm unable to configure the receiver otecontribcol with oidc to validate
JWT tokens. On sender otelcontribcol I can see the error
2024-01-11T15:07:15.091+0100 error exporterhelper/retry_sender.go:145
Exporting failed. The error is not retryable. Dropping data. {"kind":
"exporter", "data_type": "traces", "name": "otlp", "error": "Permanent
error: rpc error: code = Unknown desc = failed to verify token: failed to
verify signature: failed to verify id token signature", "dropped_items": 2}
go.opentelemetry.io/collector/exporter/exporterhelper.(*retrySender).send
***@***.***/exporterhelper/retry_sender.go:145
go.opentelemetry.io/collector/exporter/exporterhelper.(*tracesExporterWithObservability).send
***@***.***/exporterhelper/traces.go:177
go.opentelemetry.io/collector/exporter/exporterhelper.(*queueSender).start.func1
***@***.***/exporterhelper/queue_sender.go:124
go.opentelemetry.io/collector/exporter/exporterhelper/internal.(*boundedMemoryQueue).Start.func1
***@***.***/exporterhelper/internal/bounded_memory_queue.go:52
But no log appears on the receiver's side (logging level is set to debug).
Piotr
śr., 10 sty 2024 o 18:32 Juraci Paixão Kröhling ***@***.***>
napisał(a):
… can issue only jwt access token, which cannot be validated by the oidc
extension.
Can you expand on that? The OIDC authenticator does validate JWT tokens.
—
Reply to this email directly, view it on GitHub
<#30322 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AADWSRYEC6YIHLCPWX5KQUDYN3GDHAVCNFSM6AAAAABBQMYWFCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBVGMYDANZSGM>
.
You are receiving this because you authored the thread.Message ID:
<open-telemetry/opentelemetry-collector-contrib/issues/30322/1885300723@
github.com>
--
Piotr Jachowicz
|
Here is how my token looks like. The code
Prints
|
Did I answer you question @jpkrohling ? |
Yes, you don't want to have a different validation, you want to skip validation altogether:
vs.
I'm somewhat puzzled by why you'd want an authentication token that can't be validated. Wouldn't an adversary just need to create a simple JSON and impersonate a service of yours? |
This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping |
I checked again and now the combination of auth2client and oidc works as expected. Sorry for the confusion, I'm closing the issue. |
The purpose and use-cases of the new component
Exposing OTEL collector to public network requires authentication mechanism preventing unauthorized users from populating their data. One option, described here by Juraci Paixão Kröhling consists of
The problem I encounter is that my authorization service in the client credentials flow can issue only jwt access token, which cannot be validated by the oidc extension.
To support jwt access token validation I created the jwtauth extension validating jwt access tokens.
Example configuration for the component
Telemetry data types supported
Traces, metrics, logs.
Is this a vendor-specific component?
Code Owner(s)
No response
Sponsor (optional)
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: