-
Notifications
You must be signed in to change notification settings - Fork 852
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authenticator conceptually flawed #6975
Comments
@sfriberg - you contributed |
So if I'm understanding correctly, current Authenticator doesn't provide extra value over setHeaders, and if I want to pass in an authentication header for grpc, I should just do something like OtlpGrpcMetricExporterBuilder otlpGrpcMetricExporterBuilder = OtlpGrpcMetricExporter.builder().setHeaders(() -> {
String token = GoogleCredentials.getApplicationDefault().refreshAccessToken().getTokenValue();
return Map.of("custom-auth-header", token);
}).setEndpoint(collectorEndpoint); following header convention here: https://grpc.io/docs/guides/auth/#with-server-authentication-ssltls-and-a-custom-header-with-token. |
Yes, currently that's the case. But ideally the supplier is aware of the access token's TTL, and only refreshes when needed, instead of on every request. Its possible we could enhance authenticator, but I'm struggling to imagine a situation where it would offer any benefit over the Right now, I'm inclined to delete |
Deleting it makes sense to me. But it'll be nice to document how to do authentication in the official documentation, given that the interest for authentication is increasing. When I was doing research, the |
Yes better docs on this seem important. I've opened a PR to extend our SDK docs with a section on OTLP authentication: open-telemetry/opentelemetry.io#5866 This PR includes a code snippet which shows how |
In reviewing #6952 I've identified a conceptual flaw in Authenticator.
To demonstrate, I've pushed a commit to revise our main Authenticator test code:
The workflow goes like this:
Notes:
setHeaders(Supplier<Map<String, String>>)
. There's no way for the supplier to be reactive to a 401 response from the server, which means it must rely on knowing when its access token expires and be able to refresh accordingly. However, at least the flow doesn't depend on every single export request getting a 401 just to add an access token in the next request and get a 200.I'm really struggling to see the value in
Authenticator
at all at the moment. We could partially fix it by adjusting the contract to beMap<String, String> getHeaders(@Nullable HttpResponse)
, which on its face gives the implementation a way to react to the http resonse and only fetch an access token if its a 401. But because OkHttp's design for Authenticator means its not called until the client receives a challenge from the server, this would still mean that every export request gets a 401 followed by a 200.It seems like the only way that
Authenticator
can be useful right now is by using it _in combination withsetHeaders(Supplier<Map<String, String>>)
. Something like this:Notes:
Supplier<Map<String, String>
viaget()
Authenticator
viagetHeader()
The problem with this design is that it relies on the underlying HTTP client to be able to call Authenticator only when it receives a challenge from the server (i.e. 401 response). OkHttp supports this. We can make the JDK HttpClient behave like this. I'm not sure if the upstream grpc client library has the configurability to do something like this.
The text was updated successfully, but these errors were encountered: