-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC Extension Keycloak Token Auth #34879
Comments
Pinging code owners:
See Adding Labels via Comments if you do not have permissions to add labels yourself. |
What's the body of the HTTP response you are receiving? |
I understand that what you mean by HTTP body is the body of the "401 unauthorized" response. Since I developed the application with golang and used opentelemetry libraries for tracing, I cannot manipulate these parts manually and cannot view the detailed body. If you can give me instructions, I can share the body with you. Opentelemetry libraries and versions that I use in the application:
In addition, for example, when I try to get Keycloak token with wrong credentials via Postman or give wrong Exporter config etc. I can view detailed error logs on Keycloak for these operations. But when I get this "401" response, no log is sent to Keycloak (even though I started Keycloak with KC_LOG_LEVEL=DEBUG config). Additional Note: I am adding the block where I integrated opentelemetry into the application for help. import (
"context"
"github.com/limanmys/netex-server/internal/constants"
"go.opentelemetry.io/otel"
"go.opentelemetry.io/otel/exporters/otlp/otlptrace"
"go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp"
"go.opentelemetry.io/otel/propagation"
"go.opentelemetry.io/otel/sdk/resource"
sdktrace "go.opentelemetry.io/otel/sdk/trace"
semconv "go.opentelemetry.io/otel/semconv/v1.4.0"
)
func InitTracer() *sdktrace.TracerProvider {
client := otlptracehttp.NewClient(
otlptracehttp.WithEndpoint(constants.OTEL_ADDRESS), // Exporter address eg. http://localhost:4318
otlptracehttp.WithInsecure(),
otlptracehttp.WithCompression(otlptracehttp.NoCompression),
otlptracehttp.WithHeaders(map[string]string{
"Authorization": constants.OTEL_AUTHORIZATION, // (Bearer: <TOKEN>) or (Basic: <USER:PASS _ in base64 form>)
}),
)
exporter, err := otlptrace.New(context.Background(), client)
if err != nil {
return nil
}
tp := sdktrace.NewTracerProvider(
sdktrace.WithSampler(sdktrace.AlwaysSample()),
sdktrace.WithBatcher(exporter),
sdktrace.WithResource(
resource.NewWithAttributes(
semconv.SchemaURL,
semconv.ServiceNameKey.String(constants.OTEL_SERVICE_NAME), // Service name eg. network-explorer
)),
)
otel.SetTracerProvider(tp)
otel.SetTextMapPropagator(propagation.NewCompositeTextMapPropagator(propagation.TraceContext{}, propagation.Baggage{}))
return tp
} I am also adding otelfiber middleware to fiber. app.Use(otelfiber.Middleware()) |
Can you use a similar setup from the blog post to test the collector setup? Like, use an agent with a static bearer token, and a server with the oidc auth for the OTLP receiver. If you can configure the collector as agent and it works, then we know your server is correctly configured and that there might be a problem in the Go SDK (although it looks like a config issue to me so far). |
Hi @jpkrohling. As you suggested, when I used a similar setup as in your blogpost, I was able to solve the problem! Thanks to this setup, I was able to see the error body that was not visible in my application (only 401 unauthorized). The problem is that I send traces using the HTTP protocol. I think the OIDC authentication method does not work in HTTP receivers. When I changed the places where I used HTTP in the application to GRPC, I was able to run it successfully. So, in Golang applications, the library required to use bearer tokens from the header should be "otlptracegrpc" instead of "otlptracehttp" and the client (in the InitTracer function I posted in the above message) should be defined as follows: client := otlptracegrpc.NewClient(
otlptracegrpc.WithEndpoint(constants.OTEL_ADDRESS),
otlptracegrpc.WithInsecure(),
otlptracegrpc.WithCompressor("gzip"),
otlptracegrpc.WithHeaders(map[string]string{
"authorization": constants.OTEL_AUTHORIZATION,
}),
) Thanks a lot! |
Component(s)
extension/oidcauth
What happened?
Description
Hi. I want to trace my golang application's metrics with Opentelemetry and Clickhouse. To achieve this, I use the opentelemetry clickhouse exporter. When I perform the exporter configuration without using any authenticator, I can view the traces of the transactions I make on ClickHouse in a healthy way. In other words, I have actually successfully established the architecture. However, I need to add an authenticator to the exporter. When I do this process with basic auth, I do not encounter an error. When I add the basic auth options that I set in otel-collector-config.yaml to the opentelemetry header in my application as Basic Authorization, I can still run it.
As for the problem, I cannot do this when I want to use the oidc extension. To achieve this, I give the header as "Authorization: Bearer _TOKEN" on the application side. But I keep getting this error:
2024/08/27 15:58:52 traces export: failed to send to http://localhost:4318/v1/traces: 401 Unauthorized
. When I encounter this error, no logs appear on the exporter (even though I started it in debug mode).Expected Result
Accepted Keycloak Token
Actual Result
401 Unauthorized
Collector version
v0.105.0
Environment information
Environment
OS: Ubuntu 20.04 on WSL 2
Compiler(if manually compiled): go1.22.5 linux/amd64
OpenTelemetry Collector configuration
Log output
Additional context
If I need to provide detailed information about possible questions that may arise:
The text was updated successfully, but these errors were encountered: