0

How to secure our OpenTelemetry Endpoint with Keycloak?

  • I am only using OpenTelemetry Collector Gateway ( no agents) in my scenario.
  • I have created an OTLP/HTTP endpoint and made it publicly available to receive telemetry data on it. But I want to make it secure, that is why I'm looking for Keycloak integration.

It would be great if any of the community members can help.

Thanks!

I am trying to secure the OpenTelemetry Endpoint with Keycloak. Requirement: I have exposed an OTLP/HTTP Otel endpoint publicly for receiving telemetry data from other sources. And to make it secure, I am integrating it with Keycloak.

I have tried to integrate it, added some configuration code in otel-collector-gateway as well.. and created client in keycloak.. And now when I access the endpoint, its says UNAUTHORISED.

But its not giving any Keycloak page to enter credentials nor token. I am not sure where I went wrong.

Expectation: When I hit the endpoint, it should ask for Keycloak credentials/token for auth and after entering valid creds, it should work.

Vaibhav Shah
  • 9
  • 3
  • `some configuration code ... created client in keycloak` - this is not an reproducible example. Any anwser will be only a guess, because you didn't show your exact configuration. – Jan Garaj Apr 26 '23 at 07:38
  • 1
    I agree with Jan that it's hard to provide an answer with the little context you shared (though I take it Jan has done some work in that direction, looking at https://github.com/jangaraj/keycloak-legacy-with-opentelemetry). Since we're in guessing space: I'd use the OAuth extension (https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/oauth2clientauthextension) along with https://www.redhat.com/architect/oauth-20-authentication-keycloak but … – Michael Hausenblas Apr 26 '23 at 09:13

2 Answers2

2

If you want to have your users redirected to Keycloak for auth in case no auth has been provided, you need an OAuth Proxy. I believe Keycloak provides one, but any generic OAuth Proxy would do.

But in general, the best solution is to use an auth extension like the OIDC auth extension, which would require incoming requests to contain a valid auth token, which is then validated by the extension. On valid tokens, the request is accepted, on invalid tokens the client receives an "unauthorized".

When developing the OIDC auth extension, I did use Keycloak for my tests so I have high confidence it works with it:

https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/oidcauthextension

Here's a blog post I wrote back then, which might have outdated pieces here and there, but the idea as a whole should still be valid:

https://medium.com/opentelemetry/securing-your-opentelemetry-collector-1a4f9fa5bd6f

jpkroehling
  • 13,881
  • 1
  • 37
  • 39
0

Thanks for commenting.

I was taking the reference of the same blog by you sir Juraci Paixão Kröhling.

Ref Link : https://medium.com/opentelemetry/securing-your-opentelemetry-collector-1a4f9fa5bd6f

What I found out is when we write the oidc extensions block in otel-config:

extensions:
  oidc:                                                         
    issuer_url: http://{YOUR-KEYCLOAK-URL}/realms/{YOUR-REALM-NAME} 
    audience:  {YOUR-KEYCLOAK-CLIENT-NAME} 
    attribute: Authorization

"A" in Authorization should be capital, and in the blog by you sir Juraci Paixão Kröhling, it was small so that is why I ran out in the problem but after this it is working well.

Thanks!

Vaibhav Shah
  • 9
  • 3
  • Which version of the collector are you using? I've seen this issue before and I'm confident it was fixed. The problem is that if you use gRPC, the header comes in as "authorization", while most regular HTTP clients would send "Authorization". Since a few versions, we have a case-insensitive approach to this. – jpkroehling May 04 '23 at 13:22
  • Hi @jpkroehling Sir, I'm using OpenTelemetry Collector helm chart version "0.38.2". Yes I was having the requirement to send data on OTLP/HTTP so was using that only. – Vaibhav Shah May 05 '23 at 14:13