Allow the OIDC extension client secret to be provided by an Environment Variable

[biggles007]

Component(s)

extension/oidcauth

Is your feature request related to a problem? Please describe.

Allowing the simple rotation of client secrets in the oidcauth extension at scale in cloud deployments

Describe the solution you'd like

Many aspects of the OTEL SDK are configurable through environment variables, extending this to the oidcauth extension would allow the simple rotation of secrets at large scale. For example, Azure Functions/App Service allow for Key Vault secrets to be passed in through environment variables, these can be rotated in the Key Vault and will then be refreshed within 24 hours.

Describe alternatives you've considered

I'm aware the _file option could be used, but there is no ability to change files easily in many cloud services once they have been deployed.

Additional context

No response

[github-actions]

Pinging code owners:

• extension/oidcauth: @jpkrohling

See Adding Labels via Comments if you do not have permissions to add labels yourself.

[jpkrohling]

I'm sorry, but I'm not fully grasping what's being requested here. The OIDC Auth Extension is a server authenticator, to be used in receivers. It will read a token from a request and validate it against the provided auth server. There's no secret as part of the configuration of this component.

Did you have the bearer token auth extension in mind? If so, wouldn't something like this work for you?

  bearertokenauth:
    token: "${env:MY_BEARER_TOKEN}"

This would still require a restart of the process (pod) for new values to be applied, but that's true for env vars in general, not only for this component.