output_azure: OAuth authentication support for Azure output plugins

include/fluent-bit/flb_azure_auth.h

@@ -0,0 +1,107 @@
+/* -*- Mode: C; tab-width: 4; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
+
+/*  Fluent Bit
+ *  ==========
+ *  Copyright (C) 2015-2026 The Fluent Bit Authors
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+#ifndef FLB_AZURE_AUTH_H
+#define FLB_AZURE_AUTH_H
+
+#include <fluent-bit/flb_info.h>
+#include <fluent-bit/flb_oauth2.h>
+#include <fluent-bit/flb_sds.h>
+
+/* Authentication types for Azure services */
+typedef enum {
+    FLB_AZURE_AUTH_KEY = 0,                       /* Shared Access Key (blob-specific) */
+    FLB_AZURE_AUTH_SAS,                           /* Shared Access Signature (blob-specific) */
+    FLB_AZURE_AUTH_SERVICE_PRINCIPAL,             /* Service Principal (Client ID + Secret) */
+    FLB_AZURE_AUTH_MANAGED_IDENTITY_SYSTEM,       /* System-assigned Managed Identity */
+    FLB_AZURE_AUTH_MANAGED_IDENTITY_USER,         /* User-assigned Managed Identity */
+    FLB_AZURE_AUTH_WORKLOAD_IDENTITY              /* Workload Identity (Federated Token) */
+} flb_azure_auth_type;
+
+/* Azure Instance Metadata Service (IMDS) endpoint for Managed Identity */
+#define FLB_AZURE_IMDS_HOST "169.254.169.254"
+#define FLB_AZURE_IMDS_PORT "80"
+
+/* Managed Identity authentication URL template */
+#define FLB_AZURE_MSI_AUTH_URL_TEMPLATE \
+    "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2021-02-01%s%s&resource=%s"
+
+/* Microsoft Authentication Library (MSAL) authorization URL template */
+#define FLB_AZURE_MSAL_AUTH_URL_TEMPLATE \
+    "https://login.microsoftonline.com/%s/oauth2/v2.0/token"
+
+/* Azure Blob Storage resource identifier */
+#define FLB_AZURE_BLOB_RESOURCE "https://storage.azure.com"
+
+/* Azure Kusto resource identifier */
+#define FLB_AZURE_KUSTO_RESOURCE "https://help.kusto.windows.net"
+
+/* Default Workload Identity token file path */
+#define FLB_AZURE_WORKLOAD_IDENTITY_TOKEN_FILE \
+    "/var/run/secrets/azure/tokens/azure-identity-token"
+
+/**
+ * Get an OAuth2 access token using Azure Managed Identity (MSI)
+ * 
+ * This function retrieves an access token from the Azure Instance Metadata Service (IMDS)
+ * for use with Azure services. Supports both system-assigned and user-assigned managed identities.
+ * 
+ * @param ctx OAuth2 context containing connection and token information
+ * @return Access token string on success, NULL on failure
+ */
+char *flb_azure_msi_token_get(struct flb_oauth2 *ctx);
+
+/**
+ * Get an OAuth2 access token using Azure Workload Identity
+ * 
+ * This function exchanges a federated token (JWT) for an Azure AD access token
+ * using the OAuth2 client credentials flow with client assertion.
+ * 
+ * @param ctx OAuth2 context for token management
+ * @param token_file Path to the file containing the federated token
+ * @param client_id Client ID of the Azure AD application
+ * @param tenant_id Tenant ID of the Azure AD directory
+ * @param resource Resource scope for the token (e.g., "https://storage.azure.com/")
+ * @return 0 on success, -1 on failure
+ */
+int flb_azure_workload_identity_token_get(struct flb_oauth2 *ctx,
+                                          const char *token_file,
+                                          const char *client_id,
+                                          const char *tenant_id,
+                                          const char *resource);
+
+/**
+ * Build OAuth URL for Azure authentication
+ * 
+ * Creates the appropriate OAuth2 endpoint URL based on the authentication type.
+ * For Managed Identity, uses IMDS endpoint. For Service Principal and Workload Identity,
+ * uses Azure AD OAuth2 endpoint.
+ * 
+ * @param auth_type Type of authentication to use
+ * @param tenant_id Azure AD tenant ID (required for Service Principal and Workload Identity)
+ * @param client_id Client ID (optional, used for user-assigned managed identity)
+ * @param resource Resource scope for the token (e.g., storage.azure.com)
+ * @return Allocated SDS string with OAuth URL, or NULL on failure
+ */
+flb_sds_t flb_azure_auth_build_oauth_url(flb_azure_auth_type auth_type,
+                                          const char *tenant_id,
+                                          const char *client_id,
+                                          const char *resource);
+
+#endif /* FLB_AZURE_AUTH_H */

plugins/out_azure_blob/azure_blob.c

@@ -1826,7 +1826,7 @@ static struct flb_config_map config_map[] = {
     {
      FLB_CONFIG_MAP_STR, "auth_type", "key",
      0, FLB_TRUE, offsetof(struct flb_azure_blob, auth_type),
-     "Set the auth type: key or sas"
+     "Set the auth type: key, sas, service_principal, managed_identity, or workload_identity"
     },
 
     {
@@ -1835,6 +1835,31 @@ static struct flb_config_map config_map[] = {
      "Azure Blob SAS token"
     },
 
+    /* OAuth authentication parameters */
+    {
+     FLB_CONFIG_MAP_STR, "tenant_id", NULL,
+     0, FLB_TRUE, offsetof(struct flb_azure_blob, tenant_id),
+     "Azure AD tenant ID (required for service_principal and workload_identity auth)"
+    },
+
+    {
+     FLB_CONFIG_MAP_STR, "client_id", NULL,
+     0, FLB_TRUE, offsetof(struct flb_azure_blob, client_id),
+     "Azure AD client ID / Application ID (required for OAuth-based authentication)"
+    },
+
+    {
+     FLB_CONFIG_MAP_STR, "client_secret", NULL,
+     0, FLB_TRUE, offsetof(struct flb_azure_blob, client_secret),
+     "Azure AD client secret (required for service_principal auth)"
+    },
+
+    {
+     FLB_CONFIG_MAP_STR, "workload_identity_token_file", NULL,
+     0, FLB_TRUE, offsetof(struct flb_azure_blob, workload_identity_token_file),
+     "Path to workload identity token file (for workload_identity auth)"
+    },
+
     {
      FLB_CONFIG_MAP_STR, "database_file", NULL,
      0, FLB_TRUE, offsetof(struct flb_azure_blob, database_file),

plugins/out_azure_blob/azure_blob.h

@@ -24,6 +24,10 @@
 #include <fluent-bit/flb_upstream.h>
 #include <fluent-bit/flb_sds.h>
 #include <fluent-bit/flb_sqldb.h>
+#include <fluent-bit/flb_azure_auth.h>
+#ifdef FLB_HAVE_TLS
+#include <fluent-bit/flb_oauth2.h>
+#endif
 
 /* Content-Type */
 #define AZURE_BLOB_CT          "Content-Type"
@@ -48,9 +52,6 @@
 #define AZURE_BLOB_APPENDBLOB 0
 #define AZURE_BLOB_BLOCKBLOB  1
 
-#define AZURE_BLOB_AUTH_KEY 0
-#define AZURE_BLOB_AUTH_SAS 1
-
 struct flb_azure_blob {
     int auto_create_container;
     int emulator_mode;
@@ -65,6 +66,13 @@ struct flb_azure_blob {
     flb_sds_t date_key;
     flb_sds_t auth_type;
     flb_sds_t sas_token;
+
+    /* OAuth authentication fields */
+    flb_sds_t tenant_id;
+    flb_sds_t client_id;
+    flb_sds_t client_secret;
+    flb_sds_t workload_identity_token_file;
+
     flb_sds_t database_file;
     size_t part_size;
     time_t upload_parts_timeout;
@@ -112,7 +120,7 @@ struct flb_azure_blob {
      * Internal use
      */
     int  btype;                  /* blob type */
-    int  atype;                  /* auth type */
+    flb_azure_auth_type atype;   /* auth type (uses flb_azure_auth_type enum from flb_azure_auth.h) */
     flb_sds_t real_endpoint;
     flb_sds_t base_uri;
     flb_sds_t shared_key_prefix;
@@ -121,6 +129,13 @@ struct flb_azure_blob {
     unsigned char *decoded_sk;        /* decoded shared key */
     size_t decoded_sk_size;           /* size of decoded shared key */
 
+#ifdef FLB_HAVE_TLS
+    /* OAuth2 authentication */
+    flb_sds_t oauth_url;
+    struct flb_oauth2 *o;
+    pthread_mutex_t token_mutex;
+#endif
+
 #ifdef FLB_HAVE_SQLDB
     /*
      * SQLite by default is not built with multi-threading enabled, and

plugins/out_azure_blob/azure_blob_appendblob.c

@@ -40,7 +40,7 @@ flb_sds_t azb_append_blob_uri(struct flb_azure_blob *ctx, char *tag)
         flb_sds_printf(&uri, "/%s?comp=appendblock", tag);
     }
 
-    if (ctx->atype == AZURE_BLOB_AUTH_SAS && ctx->sas_token) {
+    if (ctx->atype == FLB_AZURE_AUTH_SAS && ctx->sas_token) {
         flb_sds_printf(&uri, "&%s", ctx->sas_token);
     }
 

plugins/out_azure_blob/azure_blob_blockblob.c

@@ -48,7 +48,7 @@ flb_sds_t azb_block_blob_blocklist_uri(struct flb_azure_blob *ctx, char *name)
         flb_sds_printf(&uri, "/%s?comp=blocklist", name);
     }
 
-    if (ctx->atype == AZURE_BLOB_AUTH_SAS && ctx->sas_token) {
+    if (ctx->atype == FLB_AZURE_AUTH_SAS && ctx->sas_token) {
         flb_sds_printf(&uri, "&%s", ctx->sas_token);
     }
 
@@ -103,7 +103,7 @@ flb_sds_t azb_block_blob_uri(struct flb_azure_blob *ctx, char *name,
         }
     }
 
-    if (ctx->atype == AZURE_BLOB_AUTH_SAS && ctx->sas_token) {
+    if (ctx->atype == FLB_AZURE_AUTH_SAS && ctx->sas_token) {
         flb_sds_printf(&uri, "&%s", ctx->sas_token);
     }
 
@@ -137,7 +137,7 @@ flb_sds_t azb_block_blob_uri_commit(struct flb_azure_blob *ctx,
         flb_sds_printf(&uri, "/%s.%s.%" PRIu64 "%s?comp=blocklist", tag, str, ms, ext);
     }
 
-    if (ctx->atype == AZURE_BLOB_AUTH_SAS && ctx->sas_token) {
+    if (ctx->atype == FLB_AZURE_AUTH_SAS && ctx->sas_token) {
         flb_sds_printf(&uri, "&%s", ctx->sas_token);
     }