GoogleCloudPlatform
diff --git a/‎extension/oauth2clientauthextension/README.md‎
Lines changed: 92 additions & 0 deletions b/‎extension/oauth2clientauthextension/README.md‎
Lines changed: 92 additions & 0 deletions
diff --git a/‎extension/oauth2clientauthextension/clientcredentialsconfig.go‎
Lines changed: 104 additions & 0 deletions b/‎extension/oauth2clientauthextension/clientcredentialsconfig.go‎
Lines changed: 104 additions & 0 deletions
diff --git a/‎extension/oauth2clientauthextension/config.go‎
Lines changed: 75 additions & 0 deletions b/‎extension/oauth2clientauthextension/config.go‎
Lines changed: 75 additions & 0 deletions
diff --git a/‎extension/oauth2clientauthextension/config_test.go‎
Lines changed: 93 additions & 0 deletions b/‎extension/oauth2clientauthextension/config_test.go‎
Lines changed: 93 additions & 0 deletions
diff --git a/‎extension/oauth2clientauthextension/doc.go‎
Lines changed: 10 additions & 0 deletions b/‎extension/oauth2clientauthextension/doc.go‎
Lines changed: 10 additions & 0 deletions
@@ -0,0 +1,92 @@
+# Authenticator - OAuth2 Client Credentials
+<!-- status autogenerated section -->
+| Status        |           |
+| ------------- |-----------|
+| Stability     | [beta]  |
+| Distributions | [contrib], [k8s] |
+| Issues        | [![Open issues](https://img.shields.io/github/issues-search/open-telemetry/opentelemetry-collector-contrib?query=is%3Aissue%20is%3Aopen%20label%3Aextension%2Foauth2clientauth%20&label=open&color=orange&logo=opentelemetry)](https://github.com/open-telemetry/opentelemetry-collector-contrib/issues?q=is%3Aopen+is%3Aissue+label%3Aextension%2Foauth2clientauth) [![Closed issues](https://img.shields.io/github/issues-search/open-telemetry/opentelemetry-collector-contrib?query=is%3Aissue%20is%3Aclosed%20label%3Aextension%2Foauth2clientauth%20&label=closed&color=blue&logo=opentelemetry)](https://github.com/open-telemetry/opentelemetry-collector-contrib/issues?q=is%3Aclosed+is%3Aissue+label%3Aextension%2Foauth2clientauth) |
+| [Code Owners](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/CONTRIBUTING.md#becoming-a-code-owner)    | [@pavankrish123](https://www.github.com/pavankrish123), [@jpkrohling](https://www.github.com/jpkrohling) |
+
+[beta]: https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/component-stability.md#beta
+[contrib]: https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-contrib
+[k8s]: https://github.com/open-telemetry/opentelemetry-collector-releases/tree/main/distributions/otelcol-k8s
+<!-- end autogenerated section -->
+
+Copy of the goauth2clientauthextension.
+
+This extension provides OAuth2 Client Credentials flow authenticator for HTTP and gRPC based exporters. The extension
+fetches and refreshes the token after expiry automatically. For further details about OAuth2 Client Credentials flow (2-legged workflow)
+refer https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.
+
+The authenticator type has to be set to `oauth2client`.
+
+## Configuration
+
+```yaml
+extensions:
+  oauth2client:
+    client_id: someclientid
+    client_secret: someclientsecret
+    endpoint_params:
+      audience: someaudience
+    token_url: https://example.com/oauth2/default/v1/token
+    scopes: ["api.metrics"]
+    # tls settings for the token client
+    tls:
+      insecure: true
+      ca_file: /var/lib/mycert.pem
+      cert_file: certfile
+      key_file: keyfile
+    # timeout for the token client
+    timeout: 2s
+    # buffer time before token expiry to refresh
+    expiry_buffer: 10s
+    
+receivers:
+  hostmetrics:
+    scrapers:
+      memory:
+  otlp:
+    protocols:
+      grpc:
+
+exporters:
+  otlphttp/withauth:
+    endpoint: http://localhost:9000
+    auth:
+      authenticator: oauth2client
+      
+  otlp/withauth:
+    endpoint: 0.0.0.0:5000
+    tls:
+      ca_file: /tmp/certs/ca.pem
+    auth:
+      authenticator: oauth2client
+
+service:
+  extensions: [oauth2client]
+  pipelines:
+    metrics:
+      receivers: [hostmetrics]
+      processors: []
+      exporters: [otlphttp/withauth, otlp/withauth]
+```
+
+Following are the configuration fields
+
+- [**token_url**](https://datatracker.ietf.org/doc/html/rfc6749#section-3.2) - The resource server's token endpoint URLs.
+- [**client_id**](https://datatracker.ietf.org/doc/html/rfc6749#section-2.2) - The client identifier issued to the client.
+- **client_id_file** - The file path to retrieve the client identifier issued to the client.
+  The extension reads this file and updates the client ID used whenever it needs to issue a new token. This enables dynamically changing the client credentials by modifying the file contents when, for example, they need to rotate. <!-- Intended whitespace for compact new line -->  
+  This setting takes precedence over `client_id`.
+- [**client_secret**](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1) - The secret string associated with above identifier.
+- **client_secret_file** - The file path to retrieve the secret string associated with above identifier.
+  The extension reads this file and updates the client secret used whenever it needs to issue a new token. This enables dynamically changing the client credentials by modifying the file contents when, for example, they need to rotate. <!-- Intended whitespace for compact new line -->  
+  This setting takes precedence over `client_secret`.
+- [**endpoint_params**](https://github.com/golang/oauth2/blob/master/clientcredentials/clientcredentials.go#L44) - Additional parameters that are sent to the token endpoint.
+- [**scopes**](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3) - **Optional** optional requested permissions associated for the client.
+- [**timeout**](https://golang.org/src/net/http/client.go#L90) -  **Optional** specifies the timeout on the underlying client to authorization server for fetching the tokens (initial and while refreshing).
+  This is optional and not setting this configuration implies there is no timeout on the client.
+- **expiry_buffer** -  **Optional** Specifies the time buffer to refresh the access token before it expires, preventing authentication failures due to token expiration. The default value is 5m.
+
+For more information on client side TLS settings, see [configtls README](https://github.com/open-telemetry/opentelemetry-collector/tree/main/config/configtls).
@@ -0,0 +1,104 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package oauth2clientauthextension // import "github.com/open-telemetry/opentelemetry-collector-contrib/extension/oauth2clientauthextension"
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"go.uber.org/multierr"
+	"golang.org/x/oauth2"
+	"golang.org/x/oauth2/clientcredentials"
+)
+
+// clientCredentialsConfig is a clientcredentials.Config wrapper to allow
+// values read from files in the ClientID and ClientSecret fields.
+//
+// Values from files can be retrieved by populating the ClientIDFile or
+// the ClientSecretFile fields with the path to the file.
+//
+// Priority: File > Raw value
+//
+// Example - Retrieve secret from file:
+//
+//	cfg := clientCredentialsConfig{
+//		Config: clientcredentials.Config{
+//			ClientID:     "clientId",
+//			...
+//		},
+//		ClientSecretFile: "/path/to/client/secret",
+//	}
+type clientCredentialsConfig struct {
+	clientcredentials.Config
+
+	ClientIDFile     string
+	ClientSecretFile string
+	ExpiryBuffer     time.Duration
+}
+
+type clientCredentialsTokenSource struct {
+	ctx    context.Context
+	config *clientCredentialsConfig
+}
+
+// clientCredentialsTokenSource implements TokenSource
+var _ oauth2.TokenSource = (*clientCredentialsTokenSource)(nil)
+
+func readCredentialsFile(path string) (string, error) {
+	f, err := os.ReadFile(path)
+	if err != nil {
+		return "", fmt.Errorf("failed to read credentials file %q: %w", path, err)
+	}
+
+	credential := strings.TrimSpace(string(f))
+	if credential == "" {
+		return "", fmt.Errorf("empty credentials file %q", path)
+	}
+	return credential, nil
+}
+
+func getActualValue(value, filepath string) (string, error) {
+	if len(filepath) > 0 {
+		return readCredentialsFile(filepath)
+	}
+
+	return value, nil
+}
+
+// createConfig creates a proper clientcredentials.Config with values retrieved
+// from files, if the user has specified '*_file' values
+func (c *clientCredentialsConfig) createConfig() (*clientcredentials.Config, error) {
+	clientID, err := getActualValue(c.ClientID, c.ClientIDFile)
+	if err != nil {
+		return nil, multierr.Combine(errNoClientIDProvided, err)
+	}
+
+	clientSecret, err := getActualValue(c.ClientSecret, c.ClientSecretFile)
+	if err != nil {
+		return nil, multierr.Combine(errNoClientSecretProvided, err)
+	}
+
+	return &clientcredentials.Config{
+		ClientID:       clientID,
+		ClientSecret:   clientSecret,
+		TokenURL:       c.TokenURL,
+		Scopes:         c.Scopes,
+		EndpointParams: c.EndpointParams,
+	}, nil
+}
+
+func (c *clientCredentialsConfig) TokenSource(ctx context.Context) oauth2.TokenSource {
+	return oauth2.ReuseTokenSourceWithExpiry(nil, clientCredentialsTokenSource{ctx: ctx, config: c}, c.ExpiryBuffer)
+}
+
+func (ts clientCredentialsTokenSource) Token() (*oauth2.Token, error) {
+	cfg, err := ts.config.createConfig()
+	if err != nil {
+		return nil, err
+	}
+	return cfg.TokenSource(ts.ctx).Token()
+}
@@ -0,0 +1,75 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package oauth2clientauthextension // import "github.com/open-telemetry/opentelemetry-collector-contrib/extension/oauth2clientauthextension"
+
+import (
+	"errors"
+	"net/url"
+	"time"
+
+	"go.opentelemetry.io/collector/component"
+	"go.opentelemetry.io/collector/config/configopaque"
+	"go.opentelemetry.io/collector/config/configtls"
+)
+
+var (
+	errNoClientIDProvided     = errors.New("no ClientID provided in the OAuth2 exporter configuration")
+	errNoTokenURLProvided     = errors.New("no TokenURL provided in OAuth Client Credentials configuration")
+	errNoClientSecretProvided = errors.New("no ClientSecret provided in OAuth Client Credentials configuration")
+)
+
+// Config stores the configuration for OAuth2 Client Credentials (2-legged OAuth2 flow) setup.
+type Config struct {
+	// ClientID is the application's ID.
+	// See https://datatracker.ietf.org/doc/html/rfc6749#section-2.2
+	ClientID string `mapstructure:"client_id"`
+
+	// ClientIDFile is the file path to read the application's ID from.
+	ClientIDFile string `mapstructure:"client_id_file"`
+
+	// ClientSecret is the application's secret.
+	// See https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1
+	ClientSecret configopaque.String `mapstructure:"client_secret"`
+
+	// ClientSecretFile is the file pathg to read the application's secret from.
+	ClientSecretFile string `mapstructure:"client_secret_file"`
+
+	// EndpointParams specifies additional parameters for requests to the token endpoint.
+	EndpointParams url.Values `mapstructure:"endpoint_params"`
+
+	// TokenURL is the resource server's token endpoint
+	// URL. This is a constant specific to each server.
+	// See https://datatracker.ietf.org/doc/html/rfc6749#section-3.2
+	TokenURL string `mapstructure:"token_url"`
+
+	// Scope specifies optional requested permissions.
+	// See https://datatracker.ietf.org/doc/html/rfc6749#section-3.3
+	Scopes []string `mapstructure:"scopes,omitempty"`
+
+	// TLSSetting struct exposes TLS client configuration for the underneath client to authorization server.
+	TLSSetting configtls.ClientConfig `mapstructure:"tls,omitempty"`
+
+	// Timeout parameter configures `http.Client.Timeout` for the underneath client to authorization
+	// server while fetching and refreshing tokens.
+	Timeout time.Duration `mapstructure:"timeout,omitempty"`
+
+	// ExpiryBuffer specifies the time buffer before token expiry to refresh it.
+	ExpiryBuffer time.Duration `mapstructure:"expiry_buffer,omitempty"`
+}
+
+var _ component.Config = (*Config)(nil)
+
+// Validate checks if the extension configuration is valid
+func (cfg *Config) Validate() error {
+	if cfg.ClientID == "" && cfg.ClientIDFile == "" {
+		return errNoClientIDProvided
+	}
+	if cfg.ClientSecret == "" && cfg.ClientSecretFile == "" {
+		return errNoClientSecretProvided
+	}
+	if cfg.TokenURL == "" {
+		return errNoTokenURLProvided
+	}
+	return nil
+}
@@ -0,0 +1,93 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+package oauth2clientauthextension
+
+import (
+	"net/url"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.opentelemetry.io/collector/component"
+	"go.opentelemetry.io/collector/config/configtls"
+	"go.opentelemetry.io/collector/confmap/confmaptest"
+	"go.opentelemetry.io/collector/confmap/xconfmap"
+
+	"github.com/open-telemetry/opentelemetry-collector-contrib/extension/oauth2clientauthextension/internal/metadata"
+)
+
+func TestLoadConfig(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		id          component.ID
+		expected    component.Config
+		expectedErr error
+	}{
+		{
+			id: component.NewID(metadata.Type),
+			expected: &Config{
+				ClientSecret:   "someclientsecret",
+				ClientID:       "someclientid",
+				EndpointParams: url.Values{"audience": []string{"someaudience"}},
+				Scopes:         []string{"api.metrics"},
+				TokenURL:       "https://example.com/oauth2/default/v1/token",
+				Timeout:        time.Second,
+				ExpiryBuffer:   5 * time.Minute,
+			},
+		},
+		{
+			id: component.NewIDWithName(metadata.Type, "withtls"),
+			expected: &Config{
+				ClientSecret: "someclientsecret2",
+				ClientID:     "someclientid2",
+				Scopes:       []string{"api.metrics"},
+				TokenURL:     "https://example2.com/oauth2/default/v1/token",
+				Timeout:      time.Second,
+				TLSSetting: configtls.ClientConfig{
+					Config: configtls.Config{
+						CAFile:   "cafile",
+						CertFile: "certfile",
+						KeyFile:  "keyfile",
+					},
+					Insecure:           true,
+					InsecureSkipVerify: false,
+					ServerName:         "",
+				},
+				ExpiryBuffer: 15 * time.Second,
+			},
+		},
+		{
+			id:          component.NewIDWithName(metadata.Type, "missingurl"),
+			expectedErr: errNoTokenURLProvided,
+		},
+		{
+			id:          component.NewIDWithName(metadata.Type, "missingid"),
+			expectedErr: errNoClientIDProvided,
+		},
+		{
+			id:          component.NewIDWithName(metadata.Type, "missingsecret"),
+			expectedErr: errNoClientSecretProvided,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.id.String(), func(t *testing.T) {
+			cm, err := confmaptest.LoadConf(filepath.Join("testdata", "config.yaml"))
+			require.NoError(t, err)
+			factory := NewFactory()
+			cfg := factory.CreateDefaultConfig()
+			sub, err := cm.Sub(tt.id.String())
+			require.NoError(t, err)
+			require.NoError(t, sub.Unmarshal(cfg))
+			if tt.expectedErr != nil {
+				assert.ErrorIs(t, xconfmap.Validate(cfg), tt.expectedErr)
+				return
+			}
+			assert.NoError(t, xconfmap.Validate(cfg))
+			assert.Equal(t, tt.expected, cfg)
+		})
+	}
+}
@@ -0,0 +1,10 @@
+// Copyright The OpenTelemetry Authors
+// SPDX-License-Identifier: Apache-2.0
+
+//go:generate mdatagen metadata.yaml
+
+// Package oauth2clientauthextension implements `cauth.Client`
+// This extension provides OAuth2 Client Credentials flow authenticator for HTTP and gRPC based exporters.
+// The extension fetches and refreshes the token after expiry
+// For further details about OAuth2 Client Credentials flow refer https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
+package oauth2clientauthextension // import "github.com/open-telemetry/opentelemetry-collector-contrib/extension/oauth2clientauthextension"