Skip to content

cloud-auth: Add generic OAuth2 authentication module#5570

Merged
HofiOne merged 1 commit intosyslog-ng:developfrom
davidtosovic-db:oauth2_support
Dec 1, 2025
Merged

cloud-auth: Add generic OAuth2 authentication module#5570
HofiOne merged 1 commit intosyslog-ng:developfrom
davidtosovic-db:oauth2_support

Conversation

@davidtosovic-db
Copy link
Contributor

@davidtosovic-db davidtosovic-db commented Nov 26, 2025
edited by HofiOne
Loading

Motivation

Enable clients to specify a destination with an oauth2 cloud-auth module that handles OAuth token fetching and refresh logic.

Currently, the only OAuth2 support in syslog-ng is inside the azure-auth module, which is Azure-specific and cannot be used with other cloud providers. This limits the destinations syslog-ng can target with OAuth2 tokens.
Apart from that, if new cloud-provider specific implementations were needed, we'd have code duplication when adding new OAuth2-based authenticators.

Changes

This PR introduces a generic OAuth2 authentication module that implements the client credentials flow with configurable authentication methods (HTTP Basic Auth or POST body credentials). The module provides a reusable foundation for cloud service authenticators that use OAuth2.

Key Features:

  • Token fetching, caching, and automatic refresh based on expiry
  • Configurable authentication method via auth-method() parameter
  • Support for optional scope, resource, and authorization_details parameters
  • Extensible via virtual methods for service-specific customization

Implementation Details:

  • New generic OAuth2 module (oauth2-auth.{h,hpp,cpp}):

    • Handles all common OAuth2 client credentials flow logic
    • Reduces code duplication across cloud auth modules

  • Refactored Azure module (azure-auth.{h,hpp,cpp}):

    • Now inherits from the generic OAuth2Authenticator
    • Maintains 100% backward compatibility with existing configurations
    • Eliminates duplicated logic from azure-auth module

Configuration

Using the new generic OAuth2 module:

destination d_http_oauth2 {
  http(
    url("https://api.example.com/logs")
    cloud-auth(
      oauth2(
        client-id("your-client-id")
        client-secret("your-secret")
        token-url("https://login.example.com/oauth2/token")
        scope("https://api.example.com/.default")
        auth-method("post-body")  # or "basic"
      )
    )
  );
};

Existing Azure configuration (unchanged):

destination d_azure {
  http(
    url("https://...")
    cloud-auth(
      azure(
        monitor(
          tenant-id("...")
          app-id("...")
          app-secret("...")
          scope("...")
        )
      )
    )
  );
};

Testing

  • Verified the new generic OAuth2 module by targeting an HTTP endpoint
  • Verified Azure authentication still works and successfully fetches OAuth2 tokens from Azure
  • Verified token fetching, caching, and refresh work correctly

Notes

  • The generic OAuth2 module is designed to be extended by future authenticators
  • No breaking changes to existing configurations
  • News file added: news/feature-5571.md
    Solves: Generic OAuth cloud module #5571

@kira-syslogng
Copy link
Contributor

kira-syslogng commented Nov 26, 2025

Can one of the admins verify this patch?

1 similar comment
@kira-syslogng
Copy link
Contributor

kira-syslogng commented Nov 26, 2025

Can one of the admins verify this patch?

@HofiOne
Copy link
Collaborator

HofiOne commented Nov 26, 2025

@davidtosovic-db thank you, we will review this in the near future!

@github-actions
Copy link
Contributor

github-actions bot commented Nov 28, 2025
edited
Loading

This Pull Request introduces config grammar changes

syslog-ng/d23664dcae6d4c070fb0801f20d4118202716e73 -> davidtosovic-db/oauth2_support

Details 
--- a/destination
+++ b/destination

 http(
     cloud-auth(
+        oauth2(
+            <empty>
+            auth-method(
+                basic
+                post-body
+            )
+            authorization-details(<string>)
+            client-id(<string>)
+            client-secret(<string>)
+            refresh-offset(<number>)
+            resource(<string>)
+            scope(<string>)
+            token-url(<string>)
+        )
     )
 )

@HofiOne
Copy link
Collaborator

HofiOne commented Nov 28, 2025

@davidtosovic-db: could you please fix the style check and switch issues?

HofiOne
HofiOne requested changes Nov 28, 2025
View reviewed changes
HofiOne
HofiOne requested changes Nov 28, 2025
View reviewed changes
Copy link
Collaborator

@HofiOne HofiOne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One last tiny request, otherwise LGTM.

@HofiOne
Copy link
Collaborator

HofiOne commented Nov 29, 2025

@davidtosovic-db please correct the commit-check issue

@davidtosovic-db
cloud-auth: add generic OAuth2 authentication module
8291dff 
This change introduces a generic OAuth2 authentication module that implements
the client credentials flow with configurable authentication methods (HTTP Basic
Auth or POST body credentials). The module provides a reusable foundation for
cloud service authenticators that use OAuth2.

Key features:
- Token fetching, caching, and automatic refresh based on expiry
- Configurable authentication method via `auth-method()` parameter
- Support for optional `scope`, `resource`, and `authorization_details` parameters
- Extensible via virtual methods for service-specific customization

The existing `azure-auth` module has been refactored to inherit from the generic
OAuth2 authenticator, eliminating code duplication while maintaining full
backward compatibility with the existing user interface and configuration syntax.

Signed-off-by: David Tosovic <[email protected]>
@HofiOne HofiOne linked an issue Dec 1, 2025 that may be closed by this pull request
Generic OAuth cloud module #5571
Closed
@HofiOne HofiOne self-requested a review December 1, 2025 10:06
HofiOne
HofiOne approved these changes Dec 1, 2025
View reviewed changes
Copy link
Collaborator

@HofiOne HofiOne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I love this, thank you for your contribution!

@HofiOne HofiOne merged commit 359b26b into syslog-ng:develop Dec 1, 2025
117 of 118 checks passed
@davidtosovic-db
Copy link
Contributor Author

davidtosovic-db commented Dec 1, 2025

I love this, thank you for your contribution!

And thank you for the quick review! Glad I could contribute!

@davidtosovic-db davidtosovic-db deleted the oauth2_support branch December 10, 2025 16:37
@davidtosovic-db davidtosovic-db mentioned this pull request Dec 12, 2025
Merged
@HofiOne HofiOne mentioned this pull request Dec 15, 2025
Closed
@MrAnno MrAnno mentioned this pull request Jan 16, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HofiOne HofiOne HofiOne approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Generic OAuth cloud module

3 participants

@davidtosovic-db @kira-syslogng @HofiOne