[Filebeat][xpack][httpjson] - OAuth2 use without client secret and with url params is not possible

The xpack input module httpjson for filebeat can handle the OAuth2 process.
We want to use httpjson against a cloud foundry setup which is not possible. The problem comes up because on two hard coded contraints:

  • the "client_id" and "client_secret" is sent in the POST body as application/x-www-form-urlencoded parameters
  • the cliend_id and client_secret has been set.

In our example we needed to adjust the folliwing file to get the input module running as expected because the clientsecret was null and the client credentials within the body not supported:

x-pack->filebeat->input->httpjson->config_auth.go
LINE 25:

// authStyleInParams sends the "client_id" and "client_secret" in the POST body as application/x-www-form-urlencoded parameters.
//const authStyleInParams = 1
// Change to Auto Detection
const authStyleAutoDetect = 0

LINE 216

// exclude the ClientSecret from Param Validator:
	case oAuth2ProviderDefault:
		if o.TokenURL == "" || o.ClientID == "" { //|| o.ClientSecret == ""
			return errors.New("both token_url and client.id credentials must be provided")
		}
		if (o.User != "" && o.Password == "") || (o.User == "" && o.Password != "") {
			return errors.New("both user and password credentials must be provided")
		}
	default:

I'm new to distribute to open source software and I want to ask how does the process goes further?
I would like to create a Bug / PullRequest for this issue but I read that this forum is the starting point. Is this correct?

KInd regards,
Patrick

@TiagoQueiroz maybe you or someone from the data plane teams could have a look here, as it related to the httpjson input. should the PR for this use case be opened?

Hi @p-leh,

this seems to be a legit feature improvement. If I understood correctly, you need to use OAuth2 but passing the credentials in a different way, is that it?

Could you provide more details about how the request needs to be setup?

Without fully understanding your need, it seems what you're asking for is a different way to setup/pass the OAuth2 credentials in the request. Is that it?

Hi @TiagoQueiroz,

yes your guess is right:
1.) I want the option, that the credentials going to be passed as Header params as well or even better to use the automatic function from the oauth2 package. (oauth2 package - golang.org/x/oauth2 - Go Packages)
2.) The passing of the required client credentials is to strict, because the param validator checks the client secret as well. But the client secret can be empty too and even still valid for oauth2 access process.

Regards,
Patrick

Hi @p-leh,

that looks like a legit enhancement request, could you open an issue on GitHub describing it? It would add a new way of authenticating, if my understanding is correct.

Feel free to also send a PR (create the issue first, then assign it to yourself so we know you're working on it).

Hi @TiagoQueiroz
thx for your support!
I've created the issue but I cannot assign myself to it and the bot labeled it with need_teams.
Did I do something wrong?

Regards,
Patrick

Hi @p-leh, post the link here and I'll take a look at it.

Hi @TiagoQueiroz ,

thx: [Filebeat][xpack][httpjson] - OAuth2 use without client secret and with url params is not possible · Issue #33327 · elastic/beats · GitHub

Thanks!

I managed to assign it to you. The needs-team label is normal, ideally every issue/PR is assigned to one of our teams, hence the automation adds this needs-team label until we properly label it.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.