---
title: "otelcol.auth.oauth2 | Grafana Alloy documentation"
description: "Learn about otelcol.auth.oauth2"
---

# `otelcol.auth.oauth2`

`otelcol.auth.oauth2` exposes a `handler` that other `otelcol` components can use to authenticate requests using OAuth 2.0.

This component only supports client authentication.

The authorization tokens can be used by HTTP and gRPC based OpenTelemetry exporters. This component can fetch and refresh expired tokens automatically. Refer to the [OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) for more information about the Auth 2.0 Client Credentials flow.

> Note
> 
> `otelcol.auth.oauth2` is a wrapper over the upstream OpenTelemetry Collector [`oauth2client`](https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/v0.147.0/extension/oauth2clientauthextension) extension. Bug reports or feature requests will be redirected to the upstream repository, if necessary.

You can specify multiple `otelcol.auth.oauth2` components by giving them different labels.

## Usage

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.auth.oauth2 "<LABEL>" {
    client_id     = "<CLIENT_ID>"
    client_secret = "<CLIENT_SECRET>"
    token_url     = "<TOKEN_URL>"
}
```

## Arguments

You can use the following arguments with `otelcol.auth.oauth2`:

Expand table

| Name                          | Type                | Description                                                                                                 | Default                | Required |
|-------------------------------|---------------------|-------------------------------------------------------------------------------------------------------------|------------------------|----------|
| `token_url`                   | `string`            | The server endpoint URL from which to get tokens.                                                           | `""`                   | yes      |
| `audience`                    | `string`            | JWT audience claim for JWT bearer grant. Defaults to `token_url` when empty.                                | `""`                   | no       |
| `claims`                      | `map(any)`          | Additional JWT claims for JWT bearer grant.                                                                 | `{}`                   | no       |
| `client_certificate_key`      | `secret`            | JWT bearer private key.                                                                                     | `""`                   | no       |
| `client_certificate_key_file` | `string`            | Path to a file containing the JWT bearer private key.                                                       | `""`                   | no       |
| `client_certificate_key_id`   | `string`            | Key ID included in JWT bearer grant requests.                                                               | `""`                   | no       |
| `client_id`                   | `string`            | The client identifier issued to the client.                                                                 | `""`                   | no       |
| `client_id_file`              | `string`            | Path to a file containing the client identifier.                                                            | `""`                   | no       |
| `client_secret`               | `secret`            | The secret string associated with the client identifier.                                                    | `""`                   | no       |
| `client_secret_file`          | `string`            | Path to a file containing the client secret.                                                                | `""`                   | no       |
| `endpoint_params`             | `map(list(string))` | Additional parameters that are sent to the token endpoint.                                                  | `{}`                   | no       |
| `expiry_buffer`               | `duration`          | Time before token expiry when refresh should happen.                                                        | `"0s"`                 | no       |
| `grant_type`                  | `string`            | OAuth2 grant type. Valid values: `"client_credentials"` or `"urn:ietf:params:oauth:grant-type:jwt-bearer"`. | `"client_credentials"` | no       |
| `iss`                         | `string`            | JWT issuer claim for JWT bearer grant. Defaults to `client_id` when empty.                                  | `""`                   | no       |
| `scopes`                      | `list(string)`      | Requested permissions associated for the client.                                                            | `[]`                   | no       |
| `signature_algorithm`         | `string`            | JWT signing algorithm for JWT bearer grant. Valid values: `RS256`, `RS384`, `RS512`.                        | `"RS256"`              | no       |
| `timeout`                     | `duration`          | The timeout on the client connecting to `token_url`.                                                        | `"0s"`                 | no       |

The `timeout` argument is used both for requesting initial tokens and for refreshing tokens. `"0s"` implies no timeout.

At least one of the `client_id` and `client_id_file` pair of arguments must be set. If both are set, `client_id_file` takes precedence.

If `grant_type` is `client_credentials` (default), at least one of `client_secret` or `client_secret_file` must be set. If both are set, `client_secret_file` takes precedence.

If `grant_type` is `urn:ietf:params:oauth:grant-type:jwt-bearer`, at least one of `client_certificate_key` or `client_certificate_key_file` must be set. If both are set, `client_certificate_key_file` takes precedence.

## Blocks

You can use the following blocks with `otelcol.auth.oauth2`:

No valid configuration blocks found.

### `debug_metrics`

The `debug_metrics` block configures the metrics that this component generates to monitor its state.

The following arguments are supported:

Expand table

| Name                               | Type      | Description                                          | Default | Required |
|------------------------------------|-----------|------------------------------------------------------|---------|----------|
| `disable_high_cardinality_metrics` | `boolean` | Whether to disable certain high cardinality metrics. | `true`  | no       |

`disable_high_cardinality_metrics` is the Alloy equivalent to the `telemetry.disableHighCardinalityMetrics` feature gate in the OpenTelemetry Collector. It removes attributes that could cause high cardinality metrics. For example, attributes with IP addresses and port numbers in metrics about HTTP and gRPC connections are removed.

> Note
> 
> If configured, `disable_high_cardinality_metrics` only applies to `otelcol.exporter.*` and `otelcol.receiver.*` components.

### `tls`

The `tls` block configures TLS settings used for connecting to the token client. If the `tls` block isn’t provided, TLS won’t be used for communication.

The following arguments are supported:

Expand table

| Name                           | Type           | Description                                                                                  | Default     | Required |
|--------------------------------|----------------|----------------------------------------------------------------------------------------------|-------------|----------|
| `ca_file`                      | `string`       | Path to the CA file.                                                                         |             | no       |
| `ca_pem`                       | `string`       | CA PEM-encoded text to validate the server with.                                             |             | no       |
| `cert_file`                    | `string`       | Path to the TLS certificate.                                                                 |             | no       |
| `cert_pem`                     | `string`       | Certificate PEM-encoded text for client authentication.                                      |             | no       |
| `cipher_suites`                | `list(string)` | A list of TLS cipher suites that the TLS transport can use.                                  | `[]`        | no       |
| `curve_preferences`            | `list(string)` | Set of elliptic curves to use in a handshake.                                                | `[]`        | no       |
| `include_system_ca_certs_pool` | `boolean`      | Whether to load the system certificate authorities pool alongside the certificate authority. | `false`     | no       |
| `insecure_skip_verify`         | `boolean`      | Ignores insecure server TLS certificates.                                                    |             | no       |
| `insecure`                     | `boolean`      | Disables TLS when connecting to the configured server.                                       |             | no       |
| `key_file`                     | `string`       | Path to the TLS certificate key.                                                             |             | no       |
| `key_pem`                      | `secret`       | Key PEM-encoded text for client authentication.                                              |             | no       |
| `max_version`                  | `string`       | Maximum acceptable TLS version for connections.                                              | `"TLS 1.3"` | no       |
| `min_version`                  | `string`       | Minimum acceptable TLS version for connections.                                              | `"TLS 1.2"` | no       |
| `reload_interval`              | `duration`     | The duration after which the certificate is reloaded.                                        | `"0s"`      | no       |
| `server_name`                  | `string`       | Verifies the hostname of server certificates when set.                                       |             | no       |

If the server doesn’t support TLS, you must set the `insecure` argument to `true`.

To disable `tls` for connections to the server, set the `insecure` argument to `true`.

If you set `reload_interval` to `"0s"`, the certificate never reloaded.

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

- `ca_pem` and `ca_file`
- `cert_pem` and `cert_file`
- `key_pem` and `key_file`

If `cipher_suites` is left blank, a safe default list is used. Refer to the [Go TLS documentation](https://go.dev/src/crypto/tls/cipher_suites.go) for a list of supported cipher suites.

The `curve_preferences` argument determines the set of [elliptic curves](https://go.dev/src/crypto/tls/common.go#L138) to prefer during a handshake in preference order. If not provided, a default list is used. The set of elliptic curves available are `X25519`, `P521`, `P256`, and `P384`.

### `tpm`

The `tpm` block configures retrieving the TLS `key_file` from a trusted device.

The following arguments are supported:

Expand table

| Name         | Type     | Description                                                        | Default | Required |
|--------------|----------|--------------------------------------------------------------------|---------|----------|
| `auth`       | `string` | The authorization value used to authenticate the TPM device.       | `""`    | no       |
| `enabled`    | `bool`   | Load the `tls.key_file` from TPM.                                  | `false` | no       |
| `owner_auth` | `string` | The owner authorization value used to authenticate the TPM device. | `""`    | no       |
| `path`       | `string` | Path to the TPM device or Unix domain socket.                      | `""`    | no       |

The [trusted platform module](https://trustedcomputinggroup.org/resource/trusted-platform-module-tpm-summary/) (TPM) configuration can be used for loading TLS key from TPM. Currently only TSS2 format is supported.

The `path` attribute is not supported on Windows.

In the following example, the private key `my-tss2-key.key` in TSS2 format is loaded from the TPM device `/dev/tmprm0`:

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.example.component "<LABEL>" {
    ...
    tls {
        ...
        key_file = "my-tss2-key.key"
        tpm {
            enabled = true
            path = "/dev/tpmrm0"
        }
    }
}
```

## Exported fields

The following fields are exported and can be referenced by other components:

Expand table

| Name      | Type                       | Description                                                     |
|-----------|----------------------------|-----------------------------------------------------------------|
| `handler` | `capsule(otelcol.Handler)` | A value that other components can use to authenticate requests. |

## Component health

`otelcol.auth.oauth2` is only reported as unhealthy if given an invalid configuration.

## Debug information

`otelcol.auth.oauth2` doesn’t expose any component-specific debug information.

## Example

This example configures [`otelcol.exporter.otlp`](../otelcol.exporter.otlp/) to use OAuth 2.0 for authentication:

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.exporter.otlp "example" {
  client {
    endpoint = "my-otlp-grpc-server:4317"
    auth     = otelcol.auth.oauth2.creds.handler
  }
}

otelcol.auth.oauth2 "creds" {
    client_id     = "someclientid"
    client_secret = "someclientsecret"
    token_url     = "https://example.com/oauth2/default/v1/token"
}
```

Here is another example with some optional attributes specified:

Alloy ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy

```alloy
otelcol.exporter.otlp "example" {
  client {
    endpoint = "my-otlp-grpc-server:4317"
    auth     = otelcol.auth.oauth2.creds.handler
  }
}

otelcol.auth.oauth2 "creds" {
    client_id       = "someclientid2"
    client_secret   = "someclientsecret2"
    token_url       = "https://example.com/oauth2/default/v1/token"
    endpoint_params = {"audience" = ["someaudience"]}
    scopes          = ["api.metrics"]
    timeout         = "3600s"
}
```