opentelemetry-collector: OTLP HTTP receiver with OIDC : always getting 401 Unauthorized
Describe the bug
What’s working : In the collector i can setup an OTLP GRPC receiver with OIDC auth.
From a Java OLTP GRPC exporter everything is fine : I set my jwt token with a io.grpc.ClientInterceptor
through a ManagedChannel
object. The collector grpc endpoint works as expected.
What’s not working : I can’t setup an OTLP HTTP receiver with an OIDC auth. I always get a 401 Unauthorized response. I’m pretty sure i’m doing something wrong but i don’t find out where.
Steps to reproduce
From a Java OTEL GRPC exporter everything works
public Tracer opentelemetryTracer() {
Tracer tracer;
TracerProvider tracerProvider = GlobalOpenTelemetry.getTracerProvider();
URI endpoint = new URI("http://localhost:5317");
ManagedChannelBuilder<?> managedChannelBuilder = ManagedChannelBuilder.forTarget(endpoint.getAuthority());
managedChannelBuilder.usePlaintext();
// this.otelJwtToken.getMetadata() return <"Authorization", "Bearer <token>"
managedChannelBuilder.intercept(new ClientInterceptor[]{MetadataUtils.newAttachHeadersInterceptor(this.otelJwtToken.getMetadata())});
OtlpGrpcSpanExporter otlpGrpcSpanExporter = OtlpGrpcSpanExporter.builder()
.setChannel(managedChannelBuilder.build())
.build();
OpenTelemetrySdk openTelemetrySdk =
OpenTelemetrySdk.builder()
.setTracerProvider(
SdkTracerProvider.builder()
.addSpanProcessor(SimpleSpanProcessor.create(LoggingSpanExporter.create()))
.addSpanProcessor(
BatchSpanProcessor
.builder(
otlpGrpcSpanExporter
).build()
).build()
).build();
tracer = openTelemetrySdk.getTracer("otl-mytracer-provider");
return tracer;
}
With a Java OTEL HTTP exporter it fails
public Tracer opentelemetryTracer2() {
Tracer tracer;
TracerProvider tracerProvider = GlobalOpenTelemetry.getTracerProvider();
String token = "<token>";
OtlpHttpSpanExporter otlpHttpSpanExporter = OtlpHttpSpanExporter.builder()
.setEndpoint("http://localhost:5318/v1/traces")
.addHeader("authorization", "Bearer " + token)
.build();
OpenTelemetrySdk openTelemetrySdk =
OpenTelemetrySdk.builder()
.setTracerProvider(
SdkTracerProvider.builder()
.addSpanProcessor(SimpleSpanProcessor.create(LoggingSpanExporter.create()))
.addSpanProcessor(
BatchSpanProcessor
.builder(
otlpHttpSpanExporter
).build()
).build()
).build();
tracer = openTelemetrySdk.getTracer("otl-mytracer-provider");
return tracer;
}
With curl i also get a 401 wheter my token is valid or not
curl -v -XPOST "localhost:5318/v1/traces" -H "Authorization: Bearer ${TOKEN}"
* Trying 127.0.0.1:5318...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 5318 (#0)
> POST /v1/traces HTTP/1.1
> Host: localhost:5318
> User-Agent: curl/7.68.0
> Accept: */*
> Authorization: Bearer <Token>
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Fri, 11 Mar 2022 13:57:05 GMT
< Content-Length: 13
<
Unauthorized
* Connection #0 to host localhost left intact
What did you expect to see? An authorized response if my token is valid.
What did you see instead? An Unauthorized response
What version did you use? Version: 0.44, 0.45, 0.46
What config did you use?
receivers:
otlp/jwt:
protocols:
grpc:
endpoint: 0.0.0.0:5317
auth:
authenticator: oidc/jwt
http:
endpoint: 0.0.0.0:5318
auth:
authenticator: oidc/jwt
exporters:
logging:
logLevel: debug
processors:
batch:
send_batch_size: 32768
memory_limiter:
check_interval: 5s
limit_mib: 1000
spike_limit_mib: 250
resource:
attributes:
- key: otel-dc
value: "local"
action: insert
extensions:
oidc/jwt:
issuer_url: https://my-oidc-server
audience: my-audience
service:
telemetry:
logs:
level: debug
encoding: console
development: false
extensions: [oidc/jwt]
pipelines:
traces:
receivers: [otlp/jwt]
processors: [memory_limiter, batch, resource]
exporters: [logging]
Environment OS: Ubuntu 20.04
Additional context N/A
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 16 (13 by maintainers)
I can confirm I am seeing the same issue as well on my end while using HTTP exports to OTLP HTTP receiver with OIDC. I have also tested with our standard example but with a slight modificationPlease see the comment below. .
Hi,
I must have made a mistake in my setup last time when i said it didn’t work with ‘Authorization’. Sorry about that.
I just tested it again and confirm. It works only if i set oidc’s attribute property with 'Authorization" with an ‘A’ like @pavankrish123 said.
Tested OK with collector 0.44 and 0.48.
But if i dont set oidc’s attribute property or if i set a custom value it does not work.