OIDC auth extension header handling should be case-insensitive

[alexvanboxel]

Component(s)

extension/oidcauth

What happened?

Description

The OIDC auth extension header handling should be case-insensitive; also the default header key is declared as authorization, while most systems provide the Authorization header capitalized. The HTTP spec also specifies that HTTP headers are case-insensitive.

Steps to Reproduce

Use the OIDC extension, without specifying the attribute key (so default is used), do a call with a JWT bearer token, with as key the capitalized Authorization.

Expected Result

200 OK

Actual Result

401 Unauthorized

Collector version

0.77

Environment information

Environment

OS: MacOS

OpenTelemetry Collector configuration

receivers:
  googlecloudpubsub:
    mode: "push"
    project: collibra-telemetry
    subscription: projects/acme/subscriptions/test
    push:
      path: "/"
      endpoint: "0.0.0.0:${PORT}"
      auth:
        authenticator: oidc

extensions:
  oidc:
    issuer_url: https://accounts.google.com
    audience: otel
    username_claim: email
    attribute: Authorization

processors:
  batch:

exporters:
  logging:
    logLevel: info

service:
  extensions: [oidc]
  pipelines:
    traces:
      receivers: [googlecloudpubsub]
      exporters: [logging]
    metrics:
      receivers: [googlecloudpubsub]
      exporters: [logging]
    logs:
      receivers: [googlecloudpubsub]
      exporters: [logging]

  telemetry:
    logs:
      level: INFO

Log output

No response

Additional context

Workaround for now, declare the attribute explicitly:

  oidc:
    # https://accounts.google.com/.well-known/openid-configuration
    issuer_url: https://accounts.google.com
    audience: otel
    username_claim: email
    attribute: Authorization```

[github-actions]

Pinging code owners:

• extension/oidcauth: @jpkrohling

See Adding Labels via Comments if you do not have permissions to add labels yourself.

[jpkrohling]

Interesting, this should have been fixed by this: open-telemetry/opentelemetry-collector#5646

Would you be interested in looking at the source code and figuring out why this isn't happening?

[jpkrohling]

Here's the problematic code:

opentelemetry-collector-contrib/extension/oidcauthextension/extension.go

Lines 93 to 96 in 8f6fc8f

	authHeaders := headers[e.cfg.Attribute]
	if len(authHeaders) == 0 {
	return ctx, errNotAuthenticated
	}

Perhaps a similar solution to the PR I linked earlier would apply here:
https://github.com/open-telemetry/opentelemetry-collector/blob/1ca481b86e1856ad25dbe2598340cc9066d7f950/client/client.go#L161-L183

[alexvanboxel]

Yes, a similar solution will work. First, I need to finish my upcoming revision for the googlepubsubreceiver (that will use this extension in push mode).

[alexvanboxel]

@jpkrohling the PR is green, and waiting for review: #18607

[andrzej-stencel]

You specified "Collector version 0.77", but this version didn't exist at the time of filing this issue 🙃
I think you meant v0.70.0.