Documentationbreadcrumb arrow Grafana Cloudbreadcrumb arrow Instrument and send databreadcrumb arrow Grafana Alloybreadcrumb arrow Referencebreadcrumb arrow Componentsbreadcrumb arrow otelcolbreadcrumb arrow otelcol.auth.oauth2
General availability (GA) Open source Grafana Cloud

otelcol.auth.oauth2

otelcol.auth.oauth2 exposes a handler that other otelcol components can use to authenticate requests using OAuth 2.0.

This component only supports client authentication.

The authorization tokens can be used by HTTP and gRPC based OpenTelemetry exporters. This component can fetch and refresh expired tokens automatically. Refer to the OAuth 2.0 Authorization Framework for more information about the Auth 2.0 Client Credentials flow.

Note

otelcol.auth.oauth2 is a wrapper over the upstream OpenTelemetry Collector oauth2client extension. Bug reports or feature requests will be redirected to the upstream repository, if necessary.

You can specify multiple otelcol.auth.oauth2 components by giving them different labels.

Usage

Alloy 
otelcol.auth.oauth2 "<LABEL>" {
    client_id     = "<CLIENT_ID>"
    client_secret = "<CLIENT_SECRET>"
    token_url     = "<TOKEN_URL>"
}

Arguments

You can use the following arguments with otelcol.auth.oauth2:

NameTypeDescriptionDefaultRequired
token_urlstringThe server endpoint URL from which to get tokens.""yes
audiencestringJWT audience claim for JWT bearer grant. Defaults to token_url when empty.""no
claimsmap(any)Additional JWT claims for JWT bearer grant.{}no
client_certificate_keysecretJWT bearer private key.""no
client_certificate_key_filestringPath to a file containing the JWT bearer private key.""no
client_certificate_key_idstringKey ID included in JWT bearer grant requests.""no
client_idstringThe client identifier issued to the client.""no
client_id_filestringPath to a file containing the client identifier.""no
client_secretsecretThe secret string associated with the client identifier.""no
client_secret_filestringPath to a file containing the client secret.""no
endpoint_paramsmap(list(string))Additional parameters that are sent to the token endpoint.{}no
expiry_bufferdurationTime before token expiry when refresh should happen."0s"no
grant_typestringOAuth2 grant type. Valid values: "client_credentials" or "urn:ietf:params:oauth:grant-type:jwt-bearer"."client_credentials"no
issstringJWT issuer claim for JWT bearer grant. Defaults to client_id when empty.""no
scopeslist(string)Requested permissions associated for the client.[]no
signature_algorithmstringJWT signing algorithm for JWT bearer grant. Valid values: RS256, RS384, RS512."RS256"no
timeoutdurationThe timeout on the client connecting to token_url."0s"no

The timeout argument is used both for requesting initial tokens and for refreshing tokens. "0s" implies no timeout.

At least one of the client_id and client_id_file pair of arguments must be set. If both are set, client_id_file takes precedence.

If grant_type is client_credentials (default), at least one of client_secret or client_secret_file must be set. If both are set, client_secret_file takes precedence.

If grant_type is urn:ietf:params:oauth:grant-type:jwt-bearer, at least one of client_certificate_key or client_certificate_key_file must be set. If both are set, client_certificate_key_file takes precedence.

Blocks

You can use the following blocks with otelcol.auth.oauth2:

BlockDescriptionRequired
debug_metricsConfigures the metrics that this component generates to monitor its state.no
tlsTLS settings for the token client.no
tls > tpmTPM settings for the TLS key_file.no

debug_metrics

The debug_metrics block configures the metrics that this component generates to monitor its state.

The following arguments are supported:

NameTypeDescriptionDefaultRequired
disable_high_cardinality_metricsbooleanWhether to disable certain high cardinality metrics.trueno

disable_high_cardinality_metrics is the Alloy equivalent to the telemetry.disableHighCardinalityMetrics feature gate in the OpenTelemetry Collector. It removes attributes that could cause high cardinality metrics. For example, attributes with IP addresses and port numbers in metrics about HTTP and gRPC connections are removed.

Note

If configured, disable_high_cardinality_metrics only applies to otelcol.exporter.* and otelcol.receiver.* components.

tls

The tls block configures TLS settings used for connecting to the token client. If the tls block isn’t provided, TLS won’t be used for communication.

The following arguments are supported:

NameTypeDescriptionDefaultRequired
ca_filestringPath to the CA file.no
ca_pemstringCA PEM-encoded text to validate the server with.no
cert_filestringPath to the TLS certificate.no
cert_pemstringCertificate PEM-encoded text for client authentication.no
cipher_suiteslist(string)A list of TLS cipher suites that the TLS transport can use.[]no
curve_preferenceslist(string)Set of elliptic curves to use in a handshake.[]no
include_system_ca_certs_poolbooleanWhether to load the system certificate authorities pool alongside the certificate authority.falseno
insecure_skip_verifybooleanIgnores insecure server TLS certificates.no
insecurebooleanDisables TLS when connecting to the configured server.no
key_filestringPath to the TLS certificate key.no
key_pemsecretKey PEM-encoded text for client authentication.no
max_versionstringMaximum acceptable TLS version for connections."TLS 1.3"no
min_versionstringMinimum acceptable TLS version for connections."TLS 1.2"no
reload_intervaldurationThe duration after which the certificate is reloaded."0s"no
server_namestringVerifies the hostname of server certificates when set.no

If the server doesn’t support TLS, you must set the insecure argument to true.

To disable tls for connections to the server, set the insecure argument to true.

If you set reload_interval to "0s", the certificate never reloaded.

The following pairs of arguments are mutually exclusive and can’t both be set simultaneously:

  • ca_pem and ca_file
  • cert_pem and cert_file
  • key_pem and key_file

If cipher_suites is left blank, a safe default list is used. Refer to the Go TLS documentation for a list of supported cipher suites.

The curve_preferences argument determines the set of elliptic curves to prefer during a handshake in preference order. If not provided, a default list is used. The set of elliptic curves available are X25519, P521, P256, and P384.

tpm

The tpm block configures retrieving the TLS key_file from a trusted device.

The following arguments are supported:

NameTypeDescriptionDefaultRequired
authstringThe authorization value used to authenticate the TPM device.""no
enabledboolLoad the tls.key_file from TPM.falseno
owner_authstringThe owner authorization value used to authenticate the TPM device.""no
pathstringPath to the TPM device or Unix domain socket.""no

The trusted platform module (TPM) configuration can be used for loading TLS key from TPM. Currently only TSS2 format is supported.

The path attribute is not supported on Windows.

In the following example, the private key my-tss2-key.key in TSS2 format is loaded from the TPM device /dev/tmprm0:

Alloy 
otelcol.example.component "<LABEL>" {
    ...
    tls {
        ...
        key_file = "my-tss2-key.key"
        tpm {
            enabled = true
            path = "/dev/tpmrm0"
        }
    }
}

Exported fields

The following fields are exported and can be referenced by other components:

NameTypeDescription
handlercapsule(otelcol.Handler)A value that other components can use to authenticate requests.

Component health

otelcol.auth.oauth2 is only reported as unhealthy if given an invalid configuration.

Debug information

otelcol.auth.oauth2 doesn’t expose any component-specific debug information.

Example

This example configures otelcol.exporter.otlp to use OAuth 2.0 for authentication:

Alloy 
otelcol.exporter.otlp "example" {
  client {
    endpoint = "my-otlp-grpc-server:4317"
    auth     = otelcol.auth.oauth2.creds.handler
  }
}

otelcol.auth.oauth2 "creds" {
    client_id     = "someclientid"
    client_secret = "someclientsecret"
    token_url     = "https://example.com/oauth2/default/v1/token"
}

Here is another example with some optional attributes specified:

Alloy 
otelcol.exporter.otlp "example" {
  client {
    endpoint = "my-otlp-grpc-server:4317"
    auth     = otelcol.auth.oauth2.creds.handler
  }
}

otelcol.auth.oauth2 "creds" {
    client_id       = "someclientid2"
    client_secret   = "someclientsecret2"
    token_url       = "https://example.com/oauth2/default/v1/token"
    endpoint_params = {"audience" = ["someaudience"]}
    scopes          = ["api.metrics"]
    timeout         = "3600s"
}