Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Filebeat][xpack][httpjson] - OAuth2 use without client secret and with url params is not possible #33327

Closed
p-leh opened this issue Oct 12, 2022 · 2 comments · Fixed by #33342
Closed

[Filebeat][xpack][httpjson] - OAuth2 use without client secret and with url params is not possible #33327

p-leh opened this issue Oct 12, 2022 · 2 comments · Fixed by #33342
Assignees
@p-leh

Comments

@p-leh
Copy link
Contributor

p-leh commented Oct 12, 2022

Describe the enhancement:

  1. The option is missing that the credentials going to be passed as header params as well or even better to use the automatic function from the oauth2 package. (oauth2 package - golang.org/x/oauth2 - Go Packages)

x-pack->filebeat->input->httpjson->config_auth.go
LINE 25:

// authStyleInParams sends the "client_id" and "client_secret" in the POST body as application/x-www-form-urlencoded parameters.
const authStyleInParams = 1

Change to Auto Detection

// authStyleAutoDetect sets the autodetection either the client credentials are send as BODY params or HEADER params
const authStyleAutoDetect = 0
  1. The passing of the required client credentials is to strict, because the param validator checks the client secret as well. But the client secret can be empty too and even still valid for oauth2 access process.

x-pack->filebeat->input->httpjson->config_auth.go
LINE 216:
Exclude client secret from validator [ o.ClientSecret == "" ] and adjust error message

	case oAuth2ProviderDefault:
		if o.TokenURL == "" || o.ClientID == "" { 
			return errors.New("both token_url and client.id credentials must be provided")
		}
		if (o.User != "" && o.Password == "") || (o.User == "" && o.Password != "") {
			return errors.New("both user and password credentials must be provided")
		}
...

Describe a specific use case for the enhancement or feature:

We have an oauth2 service which supports passing the parameter by header only and not by params in the body.
Furthermore the required credentials for the client contains a id and an empty secret.
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 12, 2022
@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Oct 12, 2022
@belimawr
Copy link
Contributor

@elastic/security-external-integrations this is a enhancement request for the HTTP JOSN Input, I believe it belongs to you, is that right?

We had a small discussion about it on Discuss: https://discuss.elastic.co/t/filebeat-xpack-httpjson-oauth2-use-without-client-secret-and-with-url-params-is-not-possible/314691.

My understanding is that @p-leh will give a shot at implementing it.

@p-leh p-leh mentioned this issue Oct 13, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@p-leh p-leh

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Change OAuth2 Authorization Style to Auto Detection, Avoid Client.Sec… p-leh/beats
3 participants
@belimawr @elasticmachine @p-leh