beats icon indicating copy to clipboard operation
beats copied to clipboard
verified publisher icon elastic

[Beats] Enhancement to add support to reuse OAuth token from parent call incase of chain call.

Open piyush-elastic opened this issue 2 years ago • 4 comments

While using the OAuth authentication in HTTP JSON input having a chain call. We observed that when there is an auth assigned to the parent, and if the child(the chain steps) have no auth assigned, then the auth config(from parent) as a whole gets assigned to the chain steps so the auth call is made again.

Find Filebeat configuration code as below :

filebeat.inputs:
- type: httpjson
  interval: 5m
  request.method: GET
  request.url:[ https://api.bitwarden.com/public/members](https://api.bitwarden.com/public/members)
  auth.oauth2:
    client.id: {client_id}
    client.secret: {client_secret}
    token_url:[ https://identity.bitwarden.com/connect/token](https://identity.bitwarden.com/connect/token)
    scopes: api.organization
    endpoint_params:
      grant_type: client_credentials
  request.rate_limit:
    reset: '[[ add (toInt (.last_response.header.Get "Retry-After")) ((now).Unix) ]]'
    remaining: '0'
  chain:
    - step:
        request.method: GET
        request.url:[ https://api.bitwarden.com/public/members/$.data[:].id](https://api.bitwarden.com/public/members/$.data[:].id)
        request.rate_limit.reset: '[[ add (toInt (.last_response.header.Get "Retry-After")) ((now).Unix) ]]'
        request.rate_limit.remaining: '0'
        replace: $.data[:].id
  response.pagination:
    - set:
        target: url.params.continuationToken
        value: '[[if index .last_response.body "continuationToken"]][[.last_response.body.continuationToken]][[end]]'
        fail_on_template_error: true
output.file:
  path: "/home/testuser/beats"
  filename: "bitwarden"

Debug logs details:

Debug_log

Note - We came across this issue while using Bitwarden \members API, where we have time limit to hit post APIs(5) in a second and we have other endpoints where we are already doing post call(4 times) so this extra call is major concern for us.

piyush-elastic avatar Mar 15 '23 11:03 piyush-elastic

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

elasticmachine avatar Mar 15 '23 17:03 elasticmachine

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

elasticmachine avatar Jan 31 '24 21:01 elasticmachine

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

botelastic[bot] avatar Jan 30 '25 21:01 botelastic[bot]

Based on the description this sounds like a bug in the HTTPJSON input.

I think the top level is the only valid place for oauth config, and i would expect it to be used for chained requests, but without having to reissue a token unless the the current token has reached expiry.

Fixing this should be transparent to users. It will just stop making unnecessary requests.

chrisberkhout avatar Jun 03 '25 15:06 chrisberkhout