Skip to content

[extension/oidcauth] Add static public_keys_file to configuration #45315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ahayworth wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[extension/oidcauth] Add static public_keys_file to configuration #45315

ahayworth wants to merge 3 commits into from
+541 −5

Conversation

@ahayworth
Copy link

@ahayworth ahayworth commented Jan 9, 2026

Description

When provided, the extension will attempt to load a static set of public keys from a JWKS file at the given path. These keys (and only these keys) will be used to verify the signatures of incoming tokens. Discovery will be disabled for any provider so configured.

In addition, the extension will set up a file watcher for each directory referenced in this way, and will hot-reload the static keys in the JWKS file whenever a change is noticed. This allows keys to be rotated without necessarily needing to restart the collector. We extend the providerContainer with a Verify method, so that we can encapsulate the decision of "should we grab the mutex" in one location (we only need to grab the mutex when using static configuration - it's unused otherwise and we can avoid paying the cost of grabbing the lock).

Due to limitations of the underlying go-oidc library, only RSA, ECDSA, and ED25519 public keys are supported.

Link to tracking issue

Fixes #44899

Testing

The following tests were added:

  • Config validation passes when a provider is configured with a valid public_keys_file
  • Config validation fails when a provider is configured with an invalid public_keys_file
  • Extension cannot start when a provider is configured with an invalid public_keys_file
  • Hot-reload works (asserting authentication failure when configured with valid-but-incorrect keys, and then authentication success when the file is updated with correct keys).

Additionally, I manually tested that I could sign a JWT with an internal key, send telemetry to a local collector using that JWT as an auth header, and that the collector validated the signature and accepted the telemetry with keys from the public_keys_file. I had my network disabled for good measure, to ensure we didn't try to load it from our internal OIDC discovery endpoint. 😄

Documentation

The README was updated to reference the new configuration setting.

@ahayworth ahayworth requested a review from a team as a code owner January 9, 2026 16:31
@ahayworth ahayworth requested a review from ArthurSens January 9, 2026 16:31
@github-actions github-actions bot added the first-time contributor PRs made by new contributors label Jan 9, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Jan 9, 2026

Welcome, contributor! Thank you for your contribution to opentelemetry-collector-contrib.

Important reminders:

A maintainer will review your pull request soon. Thank you for helping make OpenTelemetry better!

@ahayworth
[extension/oidcauth] Add static public_keys_file to configuration
7f5cb84 
When provided, the extension will attempt to load a static set of public
keys from a JWKS file at the given path. These keys (and only these
keys) will be used to verify the signatures of incoming tokens.
Discovery will be disabled for any provider so configured.

In addition, the extension will set up a file watcher for each directory
referenced in this way, and will hot-reload the static keys in the JWKS
file whenever a change is noticed. This allows keys to be rotated
without necessarily needing to restart the collector. We extend the
`providerContainer` with a `Verify` method, so that we can encapsulate
the decision of "should we grab the mutex" in one location (we only need
to grab the mutex when using static configuration - it's unused
otherwise and we can avoid paying the cost of grabbing the lock).

Due to limitations of the underlying `go-oidc` library, only RSA, ECDSA,
and ED25519 public keys are supported.
@ahayworth ahayworth force-pushed the ahayworth/oidc-static-verifier branch from e311401 to 7f5cb84 Compare January 9, 2026 17:42
@ahayworth ahayworth mentioned this pull request Jan 9, 2026
Open
@ahayworth
Copy link
Author

ahayworth commented Jan 9, 2026

/rerun

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ArthurSens ArthurSens Awaiting requested review from ArthurSens ArthurSens is a code owner automatically assigned from open-telemetry/collector-contrib-approvers

At least 1 approving review is required to merge this pull request.

Assignees

@codeboten codeboten

Labels

extension/oidcauth first-time contributor PRs made by new contributors

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[extension/oidcauth] Use static public keys for OIDC signature verification

2 participants

@ahayworth @codeboten