telegraf icon indicating copy to clipboard operation
telegraf copied to clipboard

Published 20 hours ago verified publisher icon influxdata

Support for EndpointParams for HTTP Output OAuth2's ClientCredentials auth config

Open jcortega opened this issue 4 years ago • 2 comments

Feature Request

Some OAuth2 identity service such as Auth0 requires audience parameter when requesting token from their token endpoint. An example of token request call be found here (also posted below in case the link breaks). Currently, the http output plugin does not support additional parameters such as the above.

curl --request POST \
  --url 'https://YOUR_DOMAIN/oauth/token' \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data grant_type=client_credentials \
  --data client_id=YOUR_CLIENT_ID \
  --data client_secret=YOUR_CLIENT_SECRET \
  --data audience=YOUR_API_IDENTIFIER

Proposal:

Add token_endpoint_parameters to http output plugin config that will accept key-value pair for additional ClientCredentials token request parameter.

For example:

[[outputs.http]]
  url="https://myendpoint/metrics"
  client_id="myclientid"
  client_secret="myclientsecret"
  token_url="https://mytenant.auth0.com/oauth/token"
  data_format="json"
  scopes=["write:telemetry"]
  [outputs.http.headers]
    Content-Type="application/json"
  [output.http.token_endpoint_parameters]
      audience="https://myaudience.cascadeo.io"

The parameters would then be passed to clientcredentials.Config as EndpointParameter.

Current behavior:

HTTP output plugin does not accept additional token endpoint parameter.

Desired behavior:

HTTP output plugin should accept additional token endpoint parameter such as audience, which is used by Auth0.

Use case:

This adds support to users using Auth0 to protect their HTTP endpoint, and other auth provider that requires additional parameters on token request.

jcortega avatar Jul 16 '20 21:07 jcortega

next steps: look into adding map config option for data parameters in a generic way

powersj avatar Mar 22 '22 20:03 powersj

Hi @jcortega are you able to put together a PR to implement this or are you still available to test it?

I think telegraf's existing OAuth2Config struct (in plugins/common/http/config.go) could be extended with another field for audience. Then we would need to change the CreateOauth2Client function to pass the audience to the x/oauth2 code.

It seems like x/oauth2 expects the audience in its EndpointParams config. I couldn't quickly find docs on how to do it, but here's the commit that adds this functionality to the x/oauth2 module. It has unit tests that show how to use it: https://github.com/golang/oauth2/commit/01b79d94479495d23e14e5ddc8f85a9271aff260

reimda avatar Aug 04 '22 20:08 reimda

@jcortega can you please test the binary built in PR #12821 after CI finished the tests? Let me know if this fixes the issue!

srebhan avatar Mar 09 '23 14:03 srebhan