opentelemetry-collector: OTLP HTTP receiver with OIDC : always getting 401 Unauthorized

Describe the bug What’s working : In the collector i can setup an OTLP GRPC receiver with OIDC auth. From a Java OLTP GRPC exporter everything is fine : I set my jwt token with a io.grpc.ClientInterceptor through a ManagedChannel object. The collector grpc endpoint works as expected.

What’s not working : I can’t setup an OTLP HTTP receiver with an OIDC auth. I always get a 401 Unauthorized response. I’m pretty sure i’m doing something wrong but i don’t find out where.

Steps to reproduce

From a Java OTEL GRPC exporter everything works

    public Tracer opentelemetryTracer() {

        Tracer tracer;
        TracerProvider tracerProvider = GlobalOpenTelemetry.getTracerProvider();

        URI endpoint = new URI("http://localhost:5317");

        ManagedChannelBuilder<?> managedChannelBuilder = ManagedChannelBuilder.forTarget(endpoint.getAuthority());
        managedChannelBuilder.usePlaintext();

        // this.otelJwtToken.getMetadata() return <"Authorization", "Bearer <token>"
        managedChannelBuilder.intercept(new ClientInterceptor[]{MetadataUtils.newAttachHeadersInterceptor(this.otelJwtToken.getMetadata())});

        OtlpGrpcSpanExporter otlpGrpcSpanExporter = OtlpGrpcSpanExporter.builder()
            .setChannel(managedChannelBuilder.build())
            .build();

        OpenTelemetrySdk openTelemetrySdk =
            OpenTelemetrySdk.builder()
                .setTracerProvider(
                    SdkTracerProvider.builder()
                        .addSpanProcessor(SimpleSpanProcessor.create(LoggingSpanExporter.create()))
                        .addSpanProcessor(
                            BatchSpanProcessor
                                .builder(
                                        otlpGrpcSpanExporter
                                ).build()
                        ).build()
                ).build();

        tracer = openTelemetrySdk.getTracer("otl-mytracer-provider");

        return tracer;
    }

With a Java OTEL HTTP exporter it fails

    public Tracer opentelemetryTracer2() {

        Tracer tracer;
        TracerProvider tracerProvider = GlobalOpenTelemetry.getTracerProvider();

        String token = "<token>";

        OtlpHttpSpanExporter otlpHttpSpanExporter = OtlpHttpSpanExporter.builder()
            .setEndpoint("http://localhost:5318/v1/traces")
            .addHeader("authorization", "Bearer " + token)
            .build();

        OpenTelemetrySdk openTelemetrySdk =
            OpenTelemetrySdk.builder()
                .setTracerProvider(
                    SdkTracerProvider.builder()
                        .addSpanProcessor(SimpleSpanProcessor.create(LoggingSpanExporter.create()))
                        .addSpanProcessor(
                            BatchSpanProcessor
                                .builder(
                                    otlpHttpSpanExporter
                                ).build()
                        ).build()
                ).build();

        tracer = openTelemetrySdk.getTracer("otl-mytracer-provider");

        return tracer;
    }

With curl i also get a 401 wheter my token is valid or not

curl -v -XPOST "localhost:5318/v1/traces" -H "Authorization: Bearer ${TOKEN}"

*   Trying 127.0.0.1:5318...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5318 (#0)
> POST /v1/traces HTTP/1.1
> Host: localhost:5318
> User-Agent: curl/7.68.0
> Accept: */*
> Authorization: Bearer <Token>
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Fri, 11 Mar 2022 13:57:05 GMT
< Content-Length: 13
< 
Unauthorized
* Connection #0 to host localhost left intact

What did you expect to see? An authorized response if my token is valid.

What did you see instead? An Unauthorized response

What version did you use? Version: 0.44, 0.45, 0.46

What config did you use?

receivers:
  otlp/jwt:
    protocols:
      grpc:
        endpoint: 0.0.0.0:5317
        auth:
          authenticator: oidc/jwt
      http:
        endpoint: 0.0.0.0:5318
        auth:
          authenticator: oidc/jwt

exporters:
  logging:
    logLevel: debug

processors:
  batch:
    send_batch_size: 32768
  memory_limiter:
    check_interval: 5s
    limit_mib: 1000
    spike_limit_mib: 250
  resource:
    attributes:
    - key: otel-dc
      value: "local"
      action: insert

extensions:
  oidc/jwt:
    issuer_url: https://my-oidc-server
    audience: my-audience

service:
  telemetry:
    logs:
      level: debug
      encoding: console
      development: false
  extensions: [oidc/jwt]
  pipelines:
    traces:
      receivers: [otlp/jwt]
      processors: [memory_limiter, batch, resource]
      exporters: [logging]

Environment OS: Ubuntu 20.04

Additional context N/A

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 16 (13 by maintainers)

Most upvoted comments

I can confirm I am seeing the same issue as well on my end while using HTTP exports to OTLP HTTP receiver with OIDC. I have also tested with our standard example but with a slight modification

Please see the comment below. .

Hi,

I must have made a mistake in my setup last time when i said it didn’t work with ‘Authorization’. Sorry about that.

I just tested it again and confirm. It works only if i set oidc’s attribute property with 'Authorization" with an ‘A’ like @pavankrish123 said.

Tested OK with collector 0.44 and 0.48.

But if i dont set oidc’s attribute property or if i set a custom value it does not work.