-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
oauth client credentials authentication in http sink #20635
Comments
This is exactly the feature preventing us from adopting Vector as our edge agent. 馃憤 Perhaps, we can also do another strategy, |
@singhbaljit client credentials flow is intended to app-to-app communication in oauth-enabled services. can you explain what a general openid helps here? |
Right, client credentials flow is still the primary case. The only difference here is what is configured. With OpenID, we just configure the standard OpenID endpoint; the client can discover/validate token endpoint, supported grant types ( |
i agree with that. but again we are in app-to-app communication and the requested scopes are expected to be set in the configuration. the discovery aspect does not really give a technical advantage. |
A few (inter-related) comments:
|
A note for the community
Use Cases
Sink data to http services protected with oauth2 client credentials flow. Client ID and secret are available as input, and vector should issue bearer tokens and refresh them continuously during runtime.
Attempted Solutions
Two main solution were evaluated:
cons: a point of failure, too much complexity for a simple functionality, adds maintenance costs.
cons: still a separate component for a seemingly simple functionality, abusing vector's reload functionality.
We prefer to avoid both because they involve writing ad-hoc components that add a point of failure, plus they are too ad-hoc although oauth2 is an industry standard and it fits very will as a built-in feature in vector.
Proposal
Support a new authentication strategy in http sink configuration:
"oauth2"
auth.strategy
now accepts a third valueoauth2
in addition to the existingbasic
andbearer
.auth.client_id
the oauth2 client ID.auth.client_secret
the oauth2 client secret.auth.token_endpoint
the endpoint for performing auth2 client credentials authentication.auth.token_refresh_grace
a period of time to refresh the token before it expires. for example can default it to 5 minutes.auth.token_client_key
auth.token_client_crt
During runtime: Before data is sent to the http sink target a token is obtained from the endpoint. The obtained token is reused for all subsequent request until it expiration time minus the refresh grace is reached, on which a new token is obtained and the process restarts.
The certificate pair in (6) and (7) might be necessary to support token issuers that require a client certificate.
References
No response
Version
No response
The text was updated successfully, but these errors were encountered: