New component: jwtauthextension

[pjachowi]

The purpose and use-cases of the new component

Exposing OTEL collector to public network requires authentication mechanism preventing unauthorized users from populating their data. One option, described here by Juraci Paixão Kröhling consists of

• using oauth2client extension on sender side to obtain openid token, and
• oidc extension on receivere's side to validate the openid token

The problem I encounter is that my authorization service in the client credentials flow can issue only jwt access token, which cannot be validated by the oidc extension.

To support jwt access token validation I created the jwtauth extension validating jwt access tokens.

Example configuration for the component

extensions:
      jwtauthextension:
        issuer_url: https://token_validator.com/
        jwks_path: ext/oauth/jwks
        scopes: [otelproxy]

Telemetry data types supported

Traces, metrics, logs.

Is this a vendor-specific component?

• This is a vendor-specific component
• If this is a vendor-specific component, I am proposing to contribute and support it as a representative of the vendor.

Code Owner(s)

No response

Sponsor (optional)

No response

Additional context

No response

[jpkrohling]

can issue only jwt access token, which cannot be validated by the oidc extension.

Can you expand on that? The OIDC authenticator does validate JWT tokens.

[pjachowi]

I'm unable to configure the receiver otecontribcol with oidc to validate JWT tokens. On sender otelcontribcol I can see the error 2024-01-11T15:07:15.091+0100 error exporterhelper/retry_sender.go:145 Exporting failed. The error is not retryable. Dropping data. {"kind": "exporter", "data_type": "traces", "name": "otlp", "error": "Permanent error: rpc error: code = Unknown desc = failed to verify token: failed to verify signature: failed to verify id token signature", "dropped_items": 2} go.opentelemetry.io/collector/exporter/exporterhelper.(*retrySender).send ***@***.***/exporterhelper/retry_sender.go:145 go.opentelemetry.io/collector/exporter/exporterhelper.(*tracesExporterWithObservability).send ***@***.***/exporterhelper/traces.go:177 go.opentelemetry.io/collector/exporter/exporterhelper.(*queueSender).start.func1 ***@***.***/exporterhelper/queue_sender.go:124 go.opentelemetry.io/collector/exporter/exporterhelper/internal.(*boundedMemoryQueue).Start.func1 ***@***.***/exporterhelper/internal/bounded_memory_queue.go:52 But no log appears on the receiver's side (logging level is set to debug). Piotr śr., 10 sty 2024 o 18:32 Juraci Paixão Kröhling ***@***.***> napisał(a):

…

can issue only jwt access token, which cannot be validated by the oidc extension. Can you expand on that? The OIDC authenticator does validate JWT tokens. — Reply to this email directly, view it on GitHub <#30322 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADWSRYEC6YIHLCPWX5KQUDYN3GDHAVCNFSM6AAAAABBQMYWFCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQOBVGMYDANZSGM> . You are receiving this because you authored the thread.Message ID: <open-telemetry/opentelemetry-collector-contrib/issues/30322/1885300723@ github.com>

-- Piotr Jachowicz

[pjachowi]

Here is how my token looks like. The code

import jwt
jwt.decode(bearer, options={"verify_signature": False})

Prints

{'scope': ['<redacted>', '<redacted>', '<redacted>'],
 'authorization_details': [],
 'client_id': '<redacted>',
 'iss': 'https://<redacted>:443',
 'aud': '<redacted>',
 'exp': 1705050729}

[pjachowi]

Did I answer you question @jpkrohling ?

[jpkrohling]

Yes, you don't want to have a different validation, you want to skip validation altogether:

which cannot be validated by the oidc extension

vs.

options={"verify_signature": False}

I'm somewhat puzzled by why you'd want an authentication token that can't be validated. Wouldn't an adversary just need to create a simple JSON and impersonate a service of yours?

[github-actions]

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

[pjachowi]

Yes, you don't want to have a different validation, you want to skip validation altogether:

which cannot be validated by the oidc extension

vs.

options={"verify_signature": False}

I'm somewhat puzzled by why you'd want an authentication token that can't be validated. Wouldn't an adversary just need to create a simple JSON and impersonate a service of yours?

I checked again and now the combination of auth2client and oidc works as expected. Sorry for the confusion, I'm closing the issue.