Skip to main content

​
Oauth2clientauth Extension

Status Available in: contrib, k8s Maintainers: @pavankrish123 Source: opentelemetry-collector-contrib

​
Overview

This extension provides OAuth2 Client Credentials flow authenticator for HTTP and gRPC based exporters. The extension fetches and refreshes the token after expiry automatically. For further details about OAuth2 Client Credentials flow (2-legged workflow) refer https://datatracker.ietf.org/doc/html/rfc6749#section-4.4. The authenticator type has to be set to oauth2client.

​
Configuration

extensions:
  oauth2client:
    client_id: someclientid
    client_secret: someclientsecret
    endpoint_params:
      audience: someaudience
    token_url: https://example.com/oauth2/default/v1/token
    scopes: ["api.metrics"]
    # tls settings for the token client
    tls:
      insecure: true
      ca_file: /var/lib/mycert.pem
      cert_file: certfile
      key_file: keyfile
    # timeout for the token client
    timeout: 2s
    # buffer time before token expiry to refresh
    expiry_buffer: 10s

  oauth2client/jwt-bearer-grant-type:
    client_id: someclientid
    client_certificate_key: secret_key
    grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
    token_url: https://example.com/oauth2/default/v1/token
    signature_algorithm: RS512
    endpoint_params:
      audience: someaudience
    scopes: ["api.metrics"]
    timeout: 1s
    
receivers:
  hostmetrics:
    scrapers:
      memory:
  otlp:
    protocols:
      grpc:

exporters:
  otlp_http/withauth:
    endpoint: http://localhost:9000
    auth:
      authenticator: oauth2client
      
  otlp_grpc/withauth:
    endpoint: 0.0.0.0:5000
    tls:
      ca_file: /tmp/certs/ca.pem
    auth:
      authenticator: oauth2client
      
  otlp_grpc/withjwtauth:
    endpoint: 0.0.0.0:5000
    tls:
      ca_file: /tmp/certs/ca.pem
    auth:
      authenticator: oauth2client/jwt-bearer-grant-type

service:
  extensions: [oauth2client,oauth2client/jwt-bearer-grant-type]
  pipelines:
    metrics:
      receivers: [hostmetrics]
      processors: []
      exporters: [otlp_http/withauth, otlp_grpc/withauth, otlp_grpc/withjwtauth]
Following are the configuration fields
  • token_url - The resource server’s token endpoint URLs.
  • client_id - The client identifier issued to the client.
  • grant_type - Optional OAuth2 grant type to use. It can be one of “client_credentials” or “urn:ietf:params:oauth:grant-type:jwt-bearer” and defaults to “client_credentials”
  • client_id_file - The file path to retrieve the client identifier issued to the client. The extension reads this file and updates the client ID used whenever it needs to issue a new token. This enables dynamically changing the client credentials by modifying the file contents when, for example, they need to rotate.
    This setting takes precedence over client_id.
  • client_secret - The secret string associated with above identifier. This is required when grant_type is “client_credentials”
  • client_secret_file - The file path to retrieve the secret string associated with above identifier. The extension reads this file and updates the client secret used whenever it needs to issue a new token. This enables dynamically changing the client credentials by modifying the file contents when, for example, they need to rotate.
    This setting takes precedence over client_secret.
  • client_certificate_key - The private key used to sign the jwt assertion used for RFC7523. This is required when grant_type is “urn:ietf:params:oauth:grant-type:jwt-bearer”
  • client_certificate_key_file - The file path to retrieve the secret string associated with above identifier. The extension reads this file and updates the client key used whenever it needs to issue a new token. This enables dynamically changing the credentials by modifying the file contents when, for example, they need to rotate.
    This setting takes precedence over client_certificate_key.
  • client_certificate_key_id - Optional kid used to sign the jwt assertion used for RFC7523.
  • signature_algorithm - Optional RSA algorithm used to sign jwt assertion used for RFC7523 and defaults to “RS256”.
  • iss - Optional client identifier used added to jwt assertion used for RFC7523 and defaults to “client_id”.
  • audience: - Optional intended audience of the jwt assertion used for RFC7523 and defaults to “token_url”.
  • claims: - Optional extra claims to be added to jwt assertion used for RFC7523.
  • endpoint_params - Additional parameters that are sent to the token endpoint.
  • scopes - Optional optional requested permissions associated for the client.
  • timeout - Optional specifies the timeout on the underlying client to authorization server for fetching the tokens (initial and while refreshing). This is optional and not setting this configuration implies there is no timeout on the client.
  • expiry_buffer - Optional Specifies the time buffer to refresh the access token before it expires, preventing authentication failures due to token expiration. The default value is 5m.
For more information on client side TLS settings, see configtls README.

​
Configuration

​
Example Configuration

oauth2client:
  client_id: someclientid
  client_secret: someclientsecret
  token_url: https://example.com/oauth2/default/v1/token
  endpoint_params:
    audience: someaudience
  scopes: ["api.metrics"]
  timeout: 1s

oauth2client/jwt-bearer-grant-type:
  client_id: someclientid
  client_certificate_key: secret_key
  grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
  token_url: https://example.com/oauth2/default/v1/token
  endpoint_params:
    audience: someaudience
  scopes: ["api.metrics"]
  timeout: 1s

oauth2client/withtls:
  client_id: someclientid2
  client_secret: someclientsecret2
  token_url: https://example2.com/oauth2/default/v1/token
  scopes: ["api.metrics"]
  timeout: 1s
  expiry_buffer: 15s
  # tls settings for the token client
  tls:
    insecure: true
    ca_file: cafile
    cert_file: certfile
    key_file: keyfile

oauth2client/missingid:
  client_secret: someclientsecret
  token_url: https://example.com/oauth2/default/v1/token
  scopes: ["api.metrics"]

oauth2client/missingsecret:
  client_id: someclientid
  token_url: https://example.com/oauth2/default/v1/token
  scopes: ["api.metrics"]

oauth2client/missingcertificate:
  client_id: someclientid
  grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
  token_url: https://example.com/oauth2/default/v1/token
  scopes: ["api.metrics"]

oauth2client/missingurl:
  client_id: someclientid
  client_secret: someclientsecret
  scopes: ["api.metrics"]
Last generated: 2026-04-13