New component: JWT server authenticator

[StarpTech]

The purpose and use-cases of the new component

This extension authenticates users who want to send data to your collector with a JWT, enabling multi-tenant use cases easier. Based on the auth claims data, you can use a processor like attributesprocessor to filter or enrich the data. Authenticity is ensured by signing the JWT token with the same secret before.

Example configuration for the component

extensions:
  jwt:
    secret: "secret"

receivers:
  otlp:
    protocols:
      grpc:
        auth:
          authenticator: jwt

processors:
  # Extract the project id from the auth context
  attributes/from_auth_context:
    actions:
      - key: project.id
        from_context: auth.project_id
        action: insert

exporters:
  logging:
    logLevel: debug

service:
  extensions: [jwt]
  pipelines:
    traces:
      receivers: [otlp]
      # Apply the processor
      processors: [attributes/from_auth_context]
      exporters: [logging]

Telemetry data types supported

traces, metrics and logs

Is this a vendor-specific component?

• This is a vendor-specific component
• If this is a vendor-specific component, I am proposing to contribute this as a representative of the vendor.

Sponsor (optional)

No response

Additional context

#20524

[atoulme]

The sponsor should be an approver or maintainer of the opentelemetry collector contrib project. @wundergraph cannot be considered as a sponsor here.

[atoulme]

How does this compare to the existing extensions bearertokenauthextension or oauth2clientauthextension ?

[fatsheep9146]

@jpkrohling do you have any suggestions about this issue?

[StarpTech]

How does this compare to the existing extensions bearertokenauthextension or oauth2clientauthextension ?

Read the README's 😄

• https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/bearertokenauthextension?rgh-link-date=2023-04-04T20%3A13%3A53Z Injects a static token for every RPC call. Used by exporters, not receivers.
• https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/oauth2clientauthextension implements the OAuth2 credentials flow.

The new proposed component work with JWT's to authenticate a client. No third-party service is involved.

[StarpTech]

The sponsor should be an approver or maintainer of the opentelemetry collector contrib project. https://github.com/wundergraph?type=source cannot be considered as a sponsor here.

How can we become one?

[jpkrohling]

The community roles are described here: https://github.com/open-telemetry/community/blob/main/community-membership.md#community-membership

[perestoronin]

git clone https://github.com/wundergraph/opentelemetry-collector-contrib.git
cd opentelemetry-collector-contrib
git checkout "dustin/add_jwt_authenticator"
cd cmd/otelcontribcol
go mod vendor
go build
./otelcontribcol components

expected jwt in list of extensions, but jwt extension not exists, why? @StarpTech

[StarpTech]

@perestoronin no idea; I'm not very familiar with the setup of the repo. What do I need to update?

[github-actions]

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

[StarpTech]

@perestoronin @jpkrohling I need help. The PR #20524 is open for over 30 days and no maintainer feels responsible.

[atoulme]

You don’t have a sponsor. You need one before maintainers can help.

[MovieStoreGuy]

You have a few options to try reach out to a potential sponser,

• The weekly SIG calls are a great way to convey the need for this "in person"
• Reach out within the CNCF slack space and ask if any approvers or maintainer would be will to sponsor this.

If you're able to help draw out some more use cases and examples, it greatly help me understand the desire for this beyond having JWT support.

[StarpTech]

Hi @MovieStoreGuy, I don't know what else I can say. I think I described the use case in the issue and here https://github.com/wundergraph/opentelemetry-collector-contrib/blob/dustin/add_jwt_authenticator/extension/jwtauthextension/README.md#description. In a nutshell: You can make your OTEL collector public and secure the ingestion with this extension through signed JWT's.
This is our use case at https://wundergraph.com/ I couldn't find any existing extension that makes that possible.

[github-actions]

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

[github-actions]

This issue has been closed as inactive because it has been stale for 120 days with no activity.