> ## Documentation Index
> Fetch the complete documentation index at: https://otel.fyi/llms.txt
> Use this file to discover all available pages before exploring further.

# Oauth2clientauth

> OpenTelemetry extension for Oauth2clientauth

# Oauth2clientauth Extension

![Status](https://img.shields.io/badge/status-beta-yellow)

**Available in:** `contrib`, `k8s`

**Maintainers:** [@pavankrish123](https://github.com/pavankrish123)

**Source:** [opentelemetry-collector-contrib](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/oauth2clientauthextension)

## Overview

This extension provides OAuth2 Client Credentials flow authenticator for HTTP and gRPC based exporters. The extension
fetches and refreshes the token after expiry automatically. For further details about OAuth2 Client Credentials flow (2-legged workflow)
refer [https://datatracker.ietf.org/doc/html/rfc6749#section-4.4](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4).

The authenticator type has to be set to `oauth2client`.

## Configuration

```yaml theme={null}
extensions:
  oauth2client:
    client_id: someclientid
    client_secret: someclientsecret
    endpoint_params:
      audience: someaudience
    token_url: https://example.com/oauth2/default/v1/token
    scopes: ["api.metrics"]
    # tls settings for the token client
    tls:
      insecure: true
      ca_file: /var/lib/mycert.pem
      cert_file: certfile
      key_file: keyfile
    # timeout for the token client
    timeout: 2s
    # buffer time before token expiry to refresh
    expiry_buffer: 10s

  oauth2client/jwt-bearer-grant-type:
    client_id: someclientid
    client_certificate_key: secret_key
    grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
    token_url: https://example.com/oauth2/default/v1/token
    signature_algorithm: RS512
    endpoint_params:
      audience: someaudience
    scopes: ["api.metrics"]
    timeout: 1s
    
receivers:
  hostmetrics:
    scrapers:
      memory:
  otlp:
    protocols:
      grpc:

exporters:
  otlp_http/withauth:
    endpoint: http://localhost:9000
    auth:
      authenticator: oauth2client
      
  otlp_grpc/withauth:
    endpoint: 0.0.0.0:5000
    tls:
      ca_file: /tmp/certs/ca.pem
    auth:
      authenticator: oauth2client
      
  otlp_grpc/withjwtauth:
    endpoint: 0.0.0.0:5000
    tls:
      ca_file: /tmp/certs/ca.pem
    auth:
      authenticator: oauth2client/jwt-bearer-grant-type

service:
  extensions: [oauth2client,oauth2client/jwt-bearer-grant-type]
  pipelines:
    metrics:
      receivers: [hostmetrics]
      processors: []
      exporters: [otlp_http/withauth, otlp_grpc/withauth, otlp_grpc/withjwtauth]
```

Following are the configuration fields

* [**token\_url**](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2) - The resource server's token endpoint URLs.
* [**client\_id**](https://datatracker.ietf.org/doc/html/rfc6749#section-2.2) - The client identifier issued to the client.
* [**grant\_type**](https://datatracker.ietf.org/doc/html/rfc6749#section-1.3) - **Optional** OAuth2 grant type to use. It can be one of "client\_credentials" or "urn:ietf:params:oauth:grant-type:jwt-bearer" and defaults to "client\_credentials"
* **client\_id\_file** - The file path to retrieve the client identifier issued to the client.
  The extension reads this file and updates the client ID used whenever it needs to issue a new token. This enables dynamically changing the client credentials by modifying the file contents when, for example, they need to rotate.\
  This setting takes precedence over `client_id`.
* [**client\_secret**](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1) - The secret string associated with above identifier. This is required when grant\_type is "client\_credentials"
* **client\_secret\_file** - The file path to retrieve the secret string associated with above identifier.
  The extension reads this file and updates the client secret used whenever it needs to issue a new token. This enables dynamically changing the client credentials by modifying the file contents when, for example, they need to rotate.\
  This setting takes precedence over `client_secret`.
* **client\_certificate\_key** - The private key used to sign the jwt assertion used for [RFC7523](https://datatracker.ietf.org/doc/html/rfc7523). This is required when grant\_type is "urn:ietf:params:oauth:grant-type:jwt-bearer"
* **client\_certificate\_key\_file** - The file path to retrieve the secret string associated with above identifier.
  The extension reads this file and updates the client key used whenever it needs to issue a new token. This enables dynamically changing the credentials by modifying the file contents when, for example, they need to rotate.\
  This setting takes precedence over `client_certificate_key`.
* **client\_certificate\_key\_id** - **Optional** [kid](https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4) used to sign the jwt assertion used for [RFC7523](https://datatracker.ietf.org/doc/html/rfc7523).
* **signature\_algorithm** - **Optional** RSA algorithm used to sign jwt assertion used for [RFC7523](https://datatracker.ietf.org/doc/html/rfc7523) and defaults to "RS256".
* **iss** - **Optional** client identifier used added to jwt assertion used for [RFC7523](https://datatracker.ietf.org/doc/html/rfc7523) and defaults to "client\_id".
* **audience**: - **Optional** intended audience of the jwt assertion used for [RFC7523](https://datatracker.ietf.org/doc/html/rfc7523) and defaults to "token\_url".
* **claims**: - **Optional** extra claims to be added to jwt assertion used for [RFC7523](https://datatracker.ietf.org/doc/html/rfc7523).
* [**endpoint\_params**](https://github.com/golang/oauth2/blob/master/clientcredentials/clientcredentials.go#L44) - Additional parameters that are sent to the token endpoint.
* [**scopes**](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3) - **Optional** optional requested permissions associated for the client.
* [**timeout**](https://golang.org/src/net/http/client.go#L90) -  **Optional** specifies the timeout on the underlying client to authorization server for fetching the tokens (initial and while refreshing).
  This is optional and not setting this configuration implies there is no timeout on the client.
* **expiry\_buffer** -  **Optional** Specifies the time buffer to refresh the access token before it expires, preventing authentication failures due to token expiration. The default value is 5m.

For more information on client side TLS settings, see [configtls README](https://github.com/open-telemetry/opentelemetry-collector/tree/main/config/configtls).

## Configuration

### Example Configuration

```yaml theme={null}
oauth2client:
  client_id: someclientid
  client_secret: someclientsecret
  token_url: https://example.com/oauth2/default/v1/token
  endpoint_params:
    audience: someaudience
  scopes: ["api.metrics"]
  timeout: 1s

oauth2client/jwt-bearer-grant-type:
  client_id: someclientid
  client_certificate_key: secret_key
  grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
  token_url: https://example.com/oauth2/default/v1/token
  endpoint_params:
    audience: someaudience
  scopes: ["api.metrics"]
  timeout: 1s

oauth2client/withtls:
  client_id: someclientid2
  client_secret: someclientsecret2
  token_url: https://example2.com/oauth2/default/v1/token
  scopes: ["api.metrics"]
  timeout: 1s
  expiry_buffer: 15s
  # tls settings for the token client
  tls:
    insecure: true
    ca_file: cafile
    cert_file: certfile
    key_file: keyfile

oauth2client/missingid:
  client_secret: someclientsecret
  token_url: https://example.com/oauth2/default/v1/token
  scopes: ["api.metrics"]

oauth2client/missingsecret:
  client_id: someclientid
  token_url: https://example.com/oauth2/default/v1/token
  scopes: ["api.metrics"]

oauth2client/missingcertificate:
  client_id: someclientid
  grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
  token_url: https://example.com/oauth2/default/v1/token
  scopes: ["api.metrics"]

oauth2client/missingurl:
  client_id: someclientid
  client_secret: someclientsecret
  scopes: ["api.metrics"]
```

***

*Last generated: 2026-07-06*
