Capability to set auth header while package download

[phanidevavarapu]

I have this use case where packages GET is behind the Basic auth.
Can you please check and suggest a way to pass the basic auth info in the header during the call?
https://github.com/open-telemetry/opamp-go/blob/main/client/internal/packagessyncer.go#L261

[tigrannajaryan]

I think this requires adding the auth headers to be used to the DownloadableFile message: https://github.com/open-telemetry/opamp-spec/blob/main/specification.md#downloadablefile-message

[tpaschalis]

So do we think this discussion should be moved to the spec first then?

Just for posterity, there is the possibility of using a userinfo to pass in auth (like http://username:[email protected]/) but I'm not sure if it's a good idea; for example a newer HTTP Semantic RFC9110 advocates for its deprecation.

[tigrannajaryan]

So do we think this discussion should be moved to the spec first then?

Yes. It needs to be a spec change to DownloadableFile message.

Just for posterity, there is the possibility of using a userinfo to pass in auth (like http://username:[email protected]/) but I'm not sure if it's a good idea; for example a newer HTTP Semantic RFC9110 advocates for its deprecation.

I think it is worth discussing, I am not entirely sure what's the best way. We may want to support other auth schemes, not just "Basic" auth. One possible approach is to allow specifying an arbitrary set of Headers that the downloader should include in the GET request. This covers the "Basic" auth by supplying "Authorization: Basic " and also the simple cases of vendor-specific tokens in headers.

[tpaschalis]

Yeah, agreed. I'll move the discussion over to the spec repo as a new issue, it's gonna be my first one there.

Thanks! 🙏

Edit: opened open-telemetry/opamp-spec#194