opentelemetry-java icon indicating copy to clipboard operation
opentelemetry-java copied to clipboard
verified publisher icon open-telemetry

ProxyAuthenticator Support for OtlpHttp{Signal}Exporters

Open jigarkb opened this issue 1 year ago • 6 comments

Is your feature request related to a problem? Please describe. OtlpHttp{Signal}Exporters do support Proxy configuration. Thanks to this issue https://github.com/open-telemetry/opentelemetry-java/issues/6204. However, we don't expose the ProxyAuthenticator that OkHttp requires if want to use an authenticated proxy. See https://github.com/square/okhttp/issues/3607 for more details on why we can't just set the Proxy-Authorization header.

Describe the solution you'd like Enhance ProxyOptions class to support providing ProxyAuthenticator in addition to ProxySelector.

jigarkb avatar Oct 25 '24 01:10 jigarkb

We have an experimental configuration optional called Authenticator modeled after the OkHttp Authenticator concept.

Its a bit hard to use right now.. Something like:

    OtlpHttpMetricExporterBuilder exporterBuilder =
        OtlpHttpMetricExporter.builder()
            .setEndpoint(...)
            .setProxyOptions(...);
    Authenticator.setAuthenticatorOnDelegate(
        exporterBuilder,
        () -> Collections.singletonMap("Proxy-Authorization", proxyAuthorizationToken()));
    OtlpHttpMetricExporter exporter = exporterBuilder.build();

See OkHttpHttpSender for details on how its translated to the Okhttp Authenticator.

Is there something specific about proxy authentication that makes our Authenticator insufficient?

jack-berg avatar Oct 29 '24 21:10 jack-berg

@jack-berg The issue is okhttp won't accept Proxy-Authorization from normal Authenticator. It requires us to set proxyAuthenticator from builder. See https://github.com/square/okhttp/blob/90d2c07566ba552c5320b00249f61a9469270117/okhttp/src/main/kotlin/okhttp3/OkHttpClient.kt#L777-L786 and https://github.com/square/okhttp/blob/90d2c07566ba552c5320b00249f61a9469270117/okhttp/src/main/kotlin/okhttp3/OkHttpClient.kt#L869-L882

jigarkb avatar Oct 29 '24 21:10 jigarkb

I see. I think it probably makes sense to add support for setting an Authenticator specifically for use with the proxy.

But really we ought to revisit Authenticator, which has been around for a while, yet doesn't feel particularly close to stabilizing, since its not supported in JdkHttpSender, or OkHttpGrpcSender, UpstreamGrpcSender. The concept seems sort of half-baked, and its API and semantics need to be better articulated so it can be supported outside of just OkHttp.

jack-berg avatar Oct 29 '24 22:10 jack-berg

I realize the Authenticator implementation is still incomplete. In the meantime, would it be acceptable to proceed with adding the Authenticator to ProxyOptions and using it within OkHttpHttpSender? If so, I can contribute and open a PR for review.

jigarkb avatar Oct 30 '24 22:10 jigarkb

Authenticator was removed in #6984, but I think it makes sense to add proxy overloads that allow additional headers to be provided. Something like:

OtlpHttpSpanExporter.builder()
  .setProxy(
     ProxyOptions.create(InetSocketAddress.createUnresolved("host", "port")),
     () -> Map.of("Proxy-Authorization", "...."))

I took a look at the source code and we would be able to incorporate this type of pattern into JdkHttpSender and OkHttpSender.

If anyone does want to work on this, you'll have to wait on #7151 to avoid conflicts.

jack-berg avatar Mar 04 '25 21:03 jack-berg

Pinging back on this thread, we'd like this feature too--@jigarkb are you still up for contributing?

cheempz avatar Sep 16 '25 18:09 cheempz