[extension/azureauth] Support for custom scopes

[gravufo]

Component(s)

extension/azureauth

Is your feature request related to a problem? Please describe.

I am trying to use the azureauth extension to push metrics to Azure Monitor Workspace using the prometheusremotewrite exporter.
Microsoft requires the authentication tokens to have the required audience to accept metrics.
Audiences are:

• US Government: https://monitor.azure.us/.default
• PublicCloud: https://monitor.azure.com/.default

However, the target host is not monitor.azure.com. Each Azure Monitor Workspace has its own host.
Unfortunately, the extension does not allow setting a custom scope in its configuration and defaults to the target host as can be seen here.

Describe the solution you'd like

Expose a custom scope in the extension's config so it can be used like this:

azureauth:
  scopes:
    - https://monitor.azure.com/.default
  workload_identity:
    [...]

Note: I suggest exposing a []string{} so that it can be sent as-is to the underlying credential provider (azidentity) since that's what it wants. That way, we are not blocking any further use-cases. That said, I am open to only exposing a string, but I don't see any benefit in artificially limiting options.

Note2: The behavior if scopes is not set in the config should be the same as it is today; i.e. fallback to requesting a scope of .default on the target host of the request.

Describe alternatives you've considered

The only alternative is to keep using aad-auth-proxy, but I'm trying to get rid of it.

Additional context

No response

Tip

_{React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it. Learn more here.}

[github-actions]

Pinging code owners:

• exporter/azuremonitor: @pcwiese @hgaol
• extension/azureauth: @constanca-m

See Adding Labels via Comments if you do not have permissions to add labels yourself.

[gravufo]

@constanca-m since you are the original author of the extension, I would be curious to know what your opinion is on this matter.

[gravufo]

Sorry for the exporter/azuremonitor folks, I misclicked in the components section and didn't realize it was a multi-select field.

[constanca-m]

Looks good to me @gravufo ! It was actually part of the original issue of the extension to add a scope configuration (see, it was the resource field), but there was no interest at the time for the field. The implementation for the scope was even very briefly part of the extension: see the PR.

I think it is time to put it back, then! And it also worries me that we are asking for a new token all the time, it should be cached again.

Would you like to work on it? I can also take it, no problem.

[constanca-m]

/labels -needs-triage

[constanca-m]

I have created a PR to implement the tokens cache: #41020. You can see I left a TODO there:

// TODO Add support for scope in configuration, that will take priority over this
// computed scope

This is where your proposed feature should be implemented.

[gravufo]

@constanca-m you do not need to implement token caching, it is already implemented and enabled by default in the azidentity sdk: https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/TOKEN_CACHING.MD#credentials-supporting-token-caching
I will copy my comment in your PR just to make sure it gets considered. I think it's better if we don't need extra logic in the extension, makes it simpler to maintain over time :)

As for the scope, I don't mind doing it, but it will take a few days at least (we're off today and I may need to catch up some stuff at work tomorrow). If you're super motivated, go for it! :D

Thanks for the feedback.