From af49dce6ececf303638c9456e807a2a664559164 Mon Sep 17 00:00:00 2001
From: Israel Blancas <iblancas@redhat.com>
Date: Mon, 11 Nov 2024 17:46:23 +0100
Subject: [PATCH] Add missing documentation oidcauth extension

Signed-off-by: Israel Blancas <iblancas@redhat.com>
---
 .../otel-collector-extensions.adoc            | 64 +++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/observability/otel/otel-collector/otel-collector-extensions.adoc b/observability/otel/otel-collector/otel-collector-extensions.adoc
index daaa9f3b59fe..c3d78f5ecdb3 100644
--- a/observability/otel/otel-collector/otel-collector-extensions.adoc
+++ b/observability/otel/otel-collector/otel-collector-extensions.adoc
@@ -205,6 +205,70 @@ include::snippets/technology-preview.adoc[]
 <4> The audience for the token.
 <5> The name of the claim that contains the username. The default name is `sub`.
 
+.Parameters used by the OIDC Auth Extension
+[options="header"]
+[cols="a,a,a"]
+|===
+|Parameter |Description |Default
+
+|`attribute`
+|The name of the header that contains the ID token.
+|`authorization`
+
+|`issuer_url`
+|The base URL of the OIDC provider.
+|N/A
+
+|`issuer_ca_path`
+|Optional: The path to the issuer's CA certificate.
+|N/A
+
+|`audience`
+|The intended audience for the token.
+|N/A
+
+|`username_claim`
+|The claim in the token that contains the username.
+|`sub`
+|===
+
+=== Troubleshooting
+
+The OIDC Auth Extension authenticates incoming requests to receivers using the OpenID Connect (OIDC) protocol. It validates ID tokens in the authorization header and updates the authentication context of the incoming request.
+
+==== Authentication failure
+
+If incoming requests fail to authenticate, consider the following:
+
+.Procedure
+
+- Verify the `issuer_url`: ensure the `issuer_url` is correctly set to the base URL of the OIDC provider.
++
+- Check the `audience`: confirm that the audience in the token matches the value specified in the `audience` field of the configuration.
++
+- Ensure the `attribute` is correct: verify that the header containing the ID token matches the value set in the `attribute` parameter (default is `authorization`).
+
+==== Issues with the issuer’s CA certificate
+
+If the extension fails to validate the issuer’s certificate, consider the following:
+
+.Procedure
+
+- Verify the `issuer_ca_path`: ensure the path to the issuer’s CA certificate is correct and that the OpenTelemetry Collector has access to the file.
++
+- Check CA file permissions: confirm that the Collector has the necessary read permissions for the CA file.
+
+==== Username claim issues
+
+If the username is not being extracted correctly, consider the following:
+
+.Procedure
+
+- Verify the `username_claim`: check that the `username_claim` is correctly set and that the ID token includes this claim (default is `sub`).
++
+- Inspect the token: review the token’s payload to ensure the claim containing the username exists and matches the field defined in the configuration.
+
+
 [id="jaegerremotesampling-extension_{context}"]
 == Jaeger Remote Sampling Extension