Skip to content

TRACING-4935: Add missing documentation oidcauth extension #84757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

TRACING-4935: Add missing documentation oidcauth extension #84757

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions observability/otel/otel-collector/otel-collector-extensions.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,70 @@ include::snippets/technology-preview.adoc[]
<4> The audience for the token.
<5> The name of the claim that contains the username. The default name is `sub`.

.Parameters used by the OIDC Auth Extension
[options="header"]
[cols="a,a,a"]
|===
|Parameter |Description |Default

|`attribute`
|The name of the header that contains the ID token.
|`authorization`

|`issuer_url`
|The base URL of the OIDC provider.
|N/A

|`issuer_ca_path`
|Optional: The path to the issuer's CA certificate.
|N/A

|`audience`
|The intended audience for the token.
|N/A

|`username_claim`
|The claim in the token that contains the username.
|`sub`
|===

=== Troubleshooting

The OIDC Auth Extension authenticates incoming requests to receivers using the OpenID Connect (OIDC) protocol. It validates ID tokens in the authorization header and updates the authentication context of the incoming request.

==== Authentication failure

If incoming requests fail to authenticate, consider the following:

.Procedure

- Verify the `issuer_url`: ensure the `issuer_url` is correctly set to the base URL of the OIDC provider.
+
- Check the `audience`: confirm that the audience in the token matches the value specified in the `audience` field of the configuration.
+
- Ensure the `attribute` is correct: verify that the header containing the ID token matches the value set in the `attribute` parameter (default is `authorization`).

==== Issues with the issuer’s CA certificate

If the extension fails to validate the issuer’s certificate, consider the following:

.Procedure

- Verify the `issuer_ca_path`: ensure the path to the issuer’s CA certificate is correct and that the OpenTelemetry Collector has access to the file.
+
- Check CA file permissions: confirm that the Collector has the necessary read permissions for the CA file.

==== Username claim issues

If the username is not being extracted correctly, consider the following:

.Procedure

- Verify the `username_claim`: check that the `username_claim` is correctly set and that the ID token includes this claim (default is `sub`).
+
- Inspect the token: review the token’s payload to ensure the claim containing the username exists and matches the field defined in the configuration.


[id="jaegerremotesampling-extension_{context}"]
== Jaeger Remote Sampling Extension

Expand Down