OAuth2

_includes/doc/admin-guide/options/cloud-auth.md

@@ -0,0 +1,15 @@
+## cloud-auth()
+
+*Description:* Configures cloud-based authentication for the syslog-ng-otlp() destination. This option enables OAuth2 authentication for gRPC connections using the syslog-ng cloud authentication framework.
+
+The following authentication methods are available:
+
+### oauth2()
+
+Configures OAuth2 authentication for gRPC-based destinations. Tokens are automatically injected into gRPC metadata for each request.
+
+The `oauth2()` option supports the following parameters:
+- client_id()
+- client_secret()
+- token_url()
+- scope()

doc/_admin-guide/070_Destinations/045_Google_bigQuery/000_bigquery_dest_options.md

@@ -20,6 +20,8 @@ Available in {{ site.product.short_name }} 4.5 and later versions.
 
 *Description:* This option enables compression in gRPC requests. Currently only deflate-type (similar to gzip) compression is supported.
 
+{% include doc/admin-guide/options/cloud-auth.md %}
+
 ## dataset()
 
 |  Type:|     string|

doc/_admin-guide/070_Destinations/045_Google_bigQuery/README.md

@@ -17,7 +17,11 @@ description: >-
 
 To configure {{ site.product.short_name }}, the name of the project, the dataset, the name and schema of the used table are necessary.
 
-The authentication is done through Application Default Credentials.
+Authentication can be configured using either Google Application Default Credentials (ADC) or OAuth2 via the `cloud-auth()` framework.
+
+By default, the destination uses Google Application Default Credentials (GoogleDefaultCredentials). In production environments, a service account with Workload Identity is recommended.
+
+Alternatively, OAuth2 authentication can be configured explicitly using `cloud-auth(oauth2())`, which injects OAuth2 tokens into gRPC requests.
 
 The destination uses `GoogleDefaultCredentials` for authentication, which covers everything listed in as ADC. Within a production environment, use a service account and Workload Identity.
 
@@ -45,4 +49,32 @@ destination d_bigquery {
 
 ```
 
+### Example: BigQuery destination configuration with OAuth2 authentication
+
+```config
+destination d_bigquery_oauth2 {
+    bigquery(
+        project("test-project")
+        dataset("test-dataset")
+        table("test-table")
+
+        cloud-auth(
+            oauth2(
+                client_id("client-id")
+                client_secret("client-secret")
+                token_url("https://auth.example.com/token")
+                scope("https://www.googleapis.com/auth/bigquery")
+            )
+        )
+
+        schema(
+            "message" => "${MESSAGE}"
+            "app" STRING => "${PROGRAM}"
+            "host" STRING => "${HOST}"
+            "time" DATETIME => "${ISODATE}"
+        )
+    );
+}
+```
+
 If not specified, the messages are sent with one worker, one message per batch, and without compression.

doc/_admin-guide/070_Destinations/081_http/000_http_options.md

@@ -79,6 +79,8 @@ version 3.18 and later.
 
 {% include doc/admin-guide/options/cert-file.md %}
 
+{% include doc/admin-guide/options/cloud-auth.md %}
+
 ## content-compression()
 
 |  Type:|      string|

doc/_admin-guide/070_Destinations/125_Loki/001_Loki_options.md

@@ -68,6 +68,8 @@ destination {
 
 {% include doc/admin-guide/options/channel-args.md %}
 
+{% include doc/admin-guide/options/cloud-auth.md %}
+
 {% include doc/admin-guide/options/headers-gRPC.md %}
 
 {% include doc/admin-guide/options/gRPC-keep-alive.md %}

doc/_admin-guide/070_Destinations/125_Loki/README.md

@@ -8,7 +8,13 @@ description: >-
     For more information on the message format, see Grafna Loki HTTP endpoint.
 ---
 
-### Example: loki() destination configuration
+## Authentication
+
+The `loki()` destination supports OAuth2 authentication using the `cloud-auth()` framework for gRPC-based communication.
+
+When configured, OAuth2 access tokens are automatically injected into gRPC requests. This follows the same authentication model used by other cloud-enabled destinations.
+
+## Example: loki() destination configuration
 
 ```config
 loki(
@@ -23,3 +29,28 @@ loki(
     batch-lines(1000)
 );
 ```
+
+## Example: loki() destination configuration with OAuth2 authentication
+
+```config
+loki(
+    url("loki.example.com:443")
+
+    cloud-auth(
+        oauth2(
+            client_id("client-id")
+            client_secret("client-secret")
+            token_url("https://auth.example.com/token")
+            scope("loki.write")
+        )
+    )
+
+    labels(
+        "app" => "$PROGRAM",
+        "host" => "$HOST",
+    )
+
+    workers(16)
+    batch-lines(1000)
+);
+```

doc/_admin-guide/070_Destinations/315_syslog-otlp/000_otlp-destination-options.md

@@ -66,6 +66,8 @@ destination {
 
 {% include doc/admin-guide/options/channel-args.md %}
 
+{% include doc/admin-guide/options/cloud-auth.md %}
+
 ## compression()
 
 |   Type:|       boolean|

doc/_admin-guide/070_Destinations/315_syslog-otlp/README.md

@@ -10,6 +10,7 @@ Advantages of using `syslog-ng-otlp()`:
 * The `workers()` option makes the scaling of the driver flexible.
 * An integrated application layer acknowledgement is available.
 * Google service authentication (ADC or ALTS), and improved load balancing are supported.
+* The syslog-ng-otlp() destination supports OAuth2 authentication via cloud-auth(oauth2()).
 
 ### Example: Configure syslog-ng-otlp() destination on the sender node
 
@@ -18,3 +19,21 @@ destination d_syslog_ng_otlp {
   syslog-ng-otlp(url("your-receiver-syslog-ng-instance:4317"));
 };
 ```
+
+### Example: Configure syslog-ng-otlp() destination using OAuth2
+
+```config
+destination d_syslog_ng_otlp {
+  syslog-ng-otlp(
+    url("example.com:443")
+    cloud-auth(
+      oauth2(
+        client_id("client-id")
+        client_secret("client-secret")
+        token_url("https://auth.example.com/token")
+        scope("api-scope")
+      )
+    )
+  );
+};
+```