"bearertokenauth" extension Always return "401 Unauthorized" via HTTP connection

[tangx]

Component(s)

extension/bearertokenauth

What happened?

Description

When set bearertokenauth

it always returns "401 Unauthorized" via HTTP(S) Connection.

HOSTNAME=localhost.with-token.http SERVER_INFO=http://127.0.0.1:55681 go run .
2023/07/28 18:16:48 Waiting for connection...
2023/07/28 18:16:48 Doing really hard work (1 / 10)
2023/07/28 18:16:49 Doing really hard work (2 / 10)
2023/07/28 18:16:50 Doing really hard work (3 / 10)
2023/07/28 18:16:51 Doing really hard work (4 / 10)
2023/07/28 18:16:52 Doing really hard work (5 / 10)
2023/07/28 18:16:53 Doing really hard work (6 / 10)
2023/07/28 18:16:53 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized
2023/07/28 18:16:54 Doing really hard work (7 / 10)
2023/07/28 18:16:55 Doing really hard work (8 / 10)
2023/07/28 18:16:56 Doing really hard work (9 / 10)
2023/07/28 18:16:57 Doing really hard work (10 / 10)
2023/07/28 18:16:58 Done!
2023/07/28 18:16:58 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized
2023/07/28 18:16:58 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized

but it works via gRPC Connection

HOSTNAME=localhost.with-token.grpc SERVER_INFO=grpc://127.0.0.1:55680 go run .
2023/07/28 18:14:55 Waiting for connection...
2023/07/28 18:14:55 Doing really hard work (1 / 10)
2023/07/28 18:14:56 Doing really hard work (2 / 10)
2023/07/28 18:14:57 Doing really hard work (3 / 10)
2023/07/28 18:14:58 Doing really hard work (4 / 10)
2023/07/28 18:14:59 Doing really hard work (5 / 10)
2023/07/28 18:15:00 Doing really hard work (6 / 10)
2023/07/28 18:15:01 Doing really hard work (7 / 10)
2023/07/28 18:15:02 Doing really hard work (8 / 10)
2023/07/28 18:15:03 Doing really hard work (9 / 10)
2023/07/28 18:15:04 Doing really hard work (10 / 10)
2023/07/28 18:15:05 Done!

Steps to Reproduce

OTel-Collector-Contrib Config

My Go file

// 创建 OTEL 的 GRPC 连接器
func grpcExpoter(ctx context.Context, SERVER_ADDR string) (*otlptrace.Exporter, error) {
	addr := strings.TrimLeft(SERVER_ADDR, "grpc://")

	conn, err := grpc.DialContext(ctx, addr,
		// Note the use of insecure transport here. TLS is recommended in production.
		grpc.WithTransportCredentials(insecure.NewCredentials()),
		grpc.WithBlock(),
		// grpc.WithTimeout(5*time.Second),
	)

	if err != nil {
		return nil, fmt.Errorf("failed to create gRPC connection to collector: %w", err)
	}

	// Set up a trace exporter
	traceExporter, err := otlptracegrpc.New(
		ctx,
		otlptracegrpc.WithGRPCConn(conn),
		otlptracegrpc.WithHeaders(
			map[string]string{
				"authorization": `Bearer vyAQ21d5NCfUIXe`,
				"Authorization": `Bearer vyAQ21d5NCfUIXe`,
			},
		),
	)
	if err != nil {
		return nil, fmt.Errorf("failed to create trace exporter: %w", err)
	}
	return traceExporter, nil
}

func httpExporter(ctx context.Context, SERVER_ADDR string) (*otlptrace.Exporter, error) {

	SERVER_ADDR = strings.TrimPrefix(SERVER_ADDR, "https://")
	SERVER_ADDR = strings.TrimPrefix(SERVER_ADDR, "http://")

	opts := []otlptracehttp.Option{
		otlptracehttp.WithTimeout(5 * time.Second),
		otlptracehttp.WithEndpoint(SERVER_ADDR),
		otlptracehttp.WithInsecure(),
		otlptracehttp.WithHeaders(
			map[string]string{
				"authorization": `Bearer vyAQ21d5NCfUIXe`,
				"Authorization": `Bearer vyAQ21d5NCfUIXe`,
			},
		),
	}

	trace, err := otlptracehttp.New(ctx, opts...)

	return trace, err
}

Expected Result

Success

Actual Result

401 Unauthorized

Collector version

v0.81.0

Environment information

Environment

OS: (e.g., "Ubuntu 20.04")
Compiler(if manually compiled): (e.g., "go 14.2")

OpenTelemetry Collector configuration

extensions:
  basicauth/server:
    htpasswd: 
      # file: .htpasswd
      inline: |
        auth_user:auth_pass_123
  bearertokenauth/withscheme:
    scheme: Bearer
    token: vyAQ21d5NCfUIXe

receivers:
  otlp:
    protocols:
      grpc:
        endpoint: "0.0.0.0:55680"
        auth:
          # authenticator: basicauth/server
          authenticator: bearertokenauth/withscheme
      http:
        endpoint: "0.0.0.0:55681"
        auth:
          # authenticator: basicauth/server
          authenticator: bearertokenauth/withscheme

exporters:
  logging/detail:
    loglevel: debug
  alibabacloud_logservice/traces:
    endpoint: "cn-beijing.log.aliyuncs.com"
    project: "my-sls-project"
    logstore: "my-sls-logstore-traces"
    access_key_id: "xxxxxx"
    access_key_secret: "yyyyyy"
  alibabacloud_logservice/metrics:
    endpoint: "cn-beijing.log.aliyuncs.com"
    project: "my-sls-project"
    logstore: "my-sls-logstore-metrics"
    access_key_id: "xxxxxx"
    access_key_secret: "yyyyyy"
  alibabacloud_logservice/logs:
    endpoint: "cn-beijing.log.aliyuncs.com"
    project: "my-sls-project"
    logstore: "my-sls-logstore-logs"
    access_key_id: "xxxxxx"
    access_key_secret: "yyyyyy"

service:
  telemetry:
    logs:
      level: "debug"
  extensions: [basicauth/server, bearertokenauth/withscheme]
  pipelines:
    traces:
      receivers: [otlp]           #接收端配置为otlp。
      exporters: [alibabacloud_logservice/traces]   #发送端配置为alibabacloud_logservice/traces。
      # for debug
      # exporters: [logging/detail,alibabacloud_logservice/traces]
    metrics:
      receivers: [otlp]
      exporters: [alibabacloud_logservice/metrics]
    logs:
      receivers: [otlp]
      exporters: [alibabacloud_logservice/logs]

Log output

HOSTNAME=localhost.with-token.http SERVER_INFO=http://127.0.0.1:55681 go run .
2023/07/28 18:16:48 Waiting for connection...
2023/07/28 18:16:48 Doing really hard work (1 / 10)
2023/07/28 18:16:49 Doing really hard work (2 / 10)
2023/07/28 18:16:50 Doing really hard work (3 / 10)
2023/07/28 18:16:51 Doing really hard work (4 / 10)
2023/07/28 18:16:52 Doing really hard work (5 / 10)
2023/07/28 18:16:53 Doing really hard work (6 / 10)
2023/07/28 18:16:53 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized
2023/07/28 18:16:54 Doing really hard work (7 / 10)
2023/07/28 18:16:55 Doing really hard work (8 / 10)
2023/07/28 18:16:56 Doing really hard work (9 / 10)
2023/07/28 18:16:57 Doing really hard work (10 / 10)
2023/07/28 18:16:58 Done!
2023/07/28 18:16:58 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized
2023/07/28 18:16:58 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized

Additional context

No response

[github-actions]

Pinging code owners:

• extension/bearertokenauth: @jpkrohling @pavankrish123 @frzifus

See Adding Labels via Comments if you do not have permissions to add labels yourself.

[jpkrohling]

@pavankrish123 @frzifus, are you able to take a look?

[tangx]

@jpkrohling,

Don't go into the extension via HTTP

It doesn't trigger the token comparing while the Token isn't matching.

make run.localhost.http
HOSTNAME=localhost.with-token.http SERVER_INFO=http://127.0.0.1:55681 go run .
2023/07/31 11:26:13 Waiting for connection...
2023/07/31 11:26:13 Doing really hard work (1 / 10)
2023/07/31 11:26:14 Doing really hard work (2 / 10)
2023/07/31 11:26:15 Doing really hard work (3 / 10)
2023/07/31 11:26:16 Doing really hard work (4 / 10)
2023/07/31 11:26:17 Doing really hard work (5 / 10)
2023/07/31 11:26:18 Doing really hard work (6 / 10)
2023/07/31 11:26:18 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized
2023/07/31 11:26:19 Doing really hard work (7 / 10)
2023/07/31 11:26:20 Doing really hard work (8 / 10)
2023/07/31 11:26:21 Doing really hard work (9 / 10)
2023/07/31 11:26:22 Doing really hard work (10 / 10)
2023/07/31 11:26:23 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized
2023/07/31 11:26:23 Done!
2023/07/31 11:26:23 traces export: failed to send to http://127.0.0.1:55681/v1/traces: 401 Unauthorized

everything goes as expect via gRPC.

make run.localhost.grpc
HOSTNAME=localhost.with-token.grpc SERVER_INFO=grpc://127.0.0.1:55680 go run .

2023/07/31 11:25:58 Waiting for connection...
2023/07/31 11:25:58 Doing really hard work (1 / 10)
2023/07/31 11:25:59 Doing really hard work (2 / 10)
2023/07/31 11:26:00 Doing really hard work (3 / 10)
2023/07/31 11:26:01 Doing really hard work (4 / 10)
2023/07/31 11:26:02 Doing really hard work (5 / 10)
2023/07/31 11:26:03 Doing really hard work (6 / 10)
2023/07/31 11:26:03 traces export: rpc error: code = Unknown desc = scheme or token does not match: Bearer vyAQ21d5NCfUIXe_____
2023/07/31 11:26:04 Doing really hard work (7 / 10)
2023/07/31 11:26:05 Doing really hard work (8 / 10)
2023/07/31 11:26:06 Doing really hard work (9 / 10)
2023/07/31 11:26:07 Doing really hard work (10 / 10)
2023/07/31 11:26:08 Done!
2023/07/31 11:26:08 traces export: rpc error: code = Unknown desc = scheme or token does not match: Bearer vyAQ21d5NCfUIXe_____
2023/07/31 11:26:08 traces export: rpc error: code = Unknown desc = scheme or token does not match: Bearer vyAQ21d5NCfUIXe_____

[github-actions]

This issue has been inactive for 60 days. It will be closed in 60 days if there is no activity. To ping code owners by adding a component label, see Adding Labels via Comments, or if you are unsure of which component this issue relates to, please ping @open-telemetry/collector-contrib-triagers. If this issue is still relevant, please ping the code owners or leave a comment explaining why it is still relevant. Otherwise, please close it.

Pinging code owners:

• extension/bearertokenauth: @jpkrohling @pavankrish123 @frzifus
• needs: Github issue template generation code needs this to generate the corresponding labels.

See Adding Labels via Comments if you do not have permissions to add labels yourself.

[jpkrohling]

Sorry for taking so long to take a look at this, I've added this to my queue.

[pollosp]

Same problem here with HTTP receiver as @tangx

[nagashan]

Same problem here with HTTP receiver.

Its because of We are always trying to get the authorization with the lower case from headers, But The headers from Http is received as Authorization even-though we sent in lower case.

[nagashan]

#29992