https://github.com/dmathieu/gatewayauth
https://github.com/dmathieu/gatewayauth
Last synced: 4 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/dmathieu/gatewayauth
- Owner: dmathieu
- Created: 2025-07-30T13:05:13.000Z (11 months ago)
- Default Branch: main
- Last Pushed: 2026-05-05T10:17:31.000Z (about 2 months ago)
- Last Synced: 2026-05-05T12:18:58.852Z (about 2 months ago)
- Language: Go
- Size: 481 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Gateway Auth
| Status | |
| ------------- |-----------|
| Stability | [development] |
| Distributions | [] |
| Issues | [](https://github.com/open-telemetry/opentelemetry-collector-contrib/issues?q=is%3Aopen+is%3Aissue+label%3Aextension%2Fgatewayauth) [](https://github.com/open-telemetry/opentelemetry-collector-contrib/issues?q=is%3Aclosed+is%3Aissue+label%3Aextension%2Fgatewayauth) |
| Code coverage | [](https://app.codecov.io/gh/open-telemetry/opentelemetry-collector-contrib/tree/main/?components%5B0%5D=extension_gatewayauth&displayType=list) |
| [Code Owners](https://github.com/open-telemetry/opentelemetry-collector-contrib/blob/main/CONTRIBUTING.md#becoming-a-code-owner) | [@dmathieu](https://www.github.com/dmathieu) |
[development]: https://github.com/open-telemetry/opentelemetry-collector/blob/main/docs/component-stability.md#development
This extension enables untrusted clients — such as browsers or mobile apps — to send telemetry directly to the OpenTelemetry Collector without embedding long-lived credentials. Instead of trusting the client directly, the Collector delegates authorization to an existing auth service you control: each incoming request's `Authorization` header is forwarded to a configurable HTTP endpoint, and access is granted only when that endpoint returns a 2xx response.
This makes it practical to expose a Collector endpoint to the public internet or to end-user devices, while keeping your authorization logic centralized in a backend system (e.g. an API gateway, an identity provider, or a custom auth service).
The authenticator type has to be set to `gatewayauth`.
## Configuration
- `endpoint` (required): URL of the authentication endpoint. The `Authorization` header from the incoming request is forwarded as-is. A 2xx response grants access.
- `cache_ttl`: How long to cache authentication results. Successful (2xx) and denied (non-5xx) responses are both cached. Service errors (5xx) are never cached. Defaults to `0` (no caching).
- `cache_size`: Maximum number of entries in the authentication result cache. Required and must be greater than 0 when `cache_ttl` is set. Defaults to `1000`.
- `http_client`: HTTP client configuration for requests to the authentication endpoint. Supports `timeout`, TLS settings, proxy configuration, and all other fields from [confighttp](https://github.com/open-telemetry/opentelemetry-collector/tree/main/config/confighttp). Defaults to a 5-second timeout.
```yaml
extensions:
gatewayauth:
endpoint: https://auth.example.com/validate
gatewayauth/withcache:
endpoint: https://auth.example.com/validate
cache_ttl: 5m
cache_size: 5000
gatewayauth/withtls:
endpoint: https://auth.example.com/validate
cache_ttl: 1m
http_client:
timeout: 2s
tls:
ca_file: /etc/ssl/certs/ca.pem
receivers:
otlp:
protocols:
http:
auth:
authenticator: gatewayauth
grpc:
auth:
authenticator: gatewayauth/withcache
service:
extensions: [gatewayauth, gatewayauth/withcache, gatewayauth/withtls]
pipelines:
traces:
receivers: [otlp]
processors: []
exporters: []
```