docs: inputs: http: add OAuth 2.0 JWT validation and remote_addr_key parameters

[eschabell]

• Add oauth2.validate, oauth2.issuer, oauth2.jwks_url, oauth2.allowed_audience, oauth2.allowed_clients, and oauth2.jwks_refresh_interval config parameters to the table
• Add remote_addr_key config parameter to the table
• Add "OAuth 2.0 JWT validation" section explaining the feature and required parameters
• Add configuration examples for OAuth 2.0 JWT validation in YAML and classic .conf format
• Fix parameter table sort order

Fixes #2500

Summary by CodeRabbit

• Documentation
  • Documented OAuth 2.0 JWT validation support for HTTP inputs with new configuration parameters
  • Added configuration examples for enabling JWT validation
  • Documented remote_addr_key parameter for controlling record field names
  • Updated HTTP headers documentation formatting

[coderabbitai]

Warning

Rate limit exceeded

@eschabell has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 21 minutes and 14 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fc9e72b0-588a-40d3-b61a-0e0e5ddfa53f

📥 Commits

Reviewing files that changed from the base of the PR and between 2a49033 and 6d62d6f.

📒 Files selected for processing (1)

• pipeline/inputs/http.md

📝 Walkthrough

Walkthrough

Documentation for the HTTP input plugin was updated to include newly supported OAuth 2.0 JWT validation configuration parameters, the remote_addr_key parameter, and examples demonstrating how to enable OAuth 2.0 JWT validation.

Changes

Cohort / File(s)	Summary
HTTP Input OAuth 2.0 Documentation pipeline/inputs/http.md	Added configuration parameters for OAuth 2.0 JWT validation (oauth2.validate, oauth2.issuer, oauth2.jwks_url, oauth2.jwks_refresh_interval, oauth2.allowed_audience, oauth2.allowed_clients), remote_addr_key parameter documentation, and usage section explaining OAuth 2.0 token validation behavior. Included configuration examples for fluent-bit.yaml and fluent-bit.conf.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• cosmo0920
• patrick-stephens

Poem

🐰 A new guard stands at the gate,
With tokens checked at steady rate,
OAuth whispers, JWT flows,
The docs now shine where knowledge grows! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding OAuth 2.0 JWT validation and remote_addr_key parameters documentation to the HTTP input guide.
Linked Issues check	✅ Passed	The PR addresses all coding requirements from issue #2500: documents all six oauth2.* parameters in the parameters table with correct defaults, adds the remote_addr_key parameter, includes an OAuth 2.0 JWT validation section with required parameter guidance, and provides YAML and .conf format examples.
Out of Scope Changes check	✅ Passed	All changes are directly related to documenting the OAuth 2.0 JWT validation feature and remote_addr_key parameter as specified in issue #2500; no unrelated modifications detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pipeline/inputs/http.md (1)

315-359: Consider adding oauth2.allowed_clients to the example.

While the example demonstrates the core OAuth 2.0 JWT validation parameters, it omits oauth2.allowed_clients which is documented in the parameters table. Adding this optional parameter would provide a more complete reference for users who need to restrict access by client ID.

💡 Enhanced example with allowed_clients

For the YAML example:

       oauth2.validate: true
       oauth2.issuer: https://auth.example.com
       oauth2.jwks_url: https://auth.example.com/.well-known/jwks.json
       oauth2.allowed_audience: my-service
+      oauth2.allowed_clients:
+        - client-app-1
+        - client-app-2
       oauth2.jwks_refresh_interval: 300

For the .conf example:

   Oauth2.validate           true
   Oauth2.issuer             https://auth.example.com
   Oauth2.jwks_url           https://auth.example.com/.well-known/jwks.json
   Oauth2.allowed_audience   my-service
+  Oauth2.allowed_clients    client-app-1
+  Oauth2.allowed_clients    client-app-2
   Oauth2.jwks_refresh_interval 300

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pipeline/inputs/http.md` around lines 315 - 359, Add the optional
oauth2.allowed_clients parameter to both example configurations so readers can
restrict accepted client IDs; update the YAML under the pipeline.inputs.http
block to include oauth2.allowed_clients (e.g., a comma-separated string or list
value alongside oauth2.allowed_audience) and update the fluent-bit.conf INPUT
section to include Oauth2.allowed_clients with the same format, ensuring the key
name matches oauth2.allowed_clients (YAML) and Oauth2.allowed_clients
(fluent-bit.conf) used elsewhere in the doc.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pipeline/inputs/http.md`:
- Around line 37-41: Update the OAuth 2.0 JWT section to explicitly state that
JWKS are fetched lazily on the first incoming request when oauth2.validate is
true: mention that the initial JWKS fetch happens on the first request requiring
validation (using oauth2.jwks_url), the keys are then cached and refreshed every
oauth2.jwks_refresh_interval seconds, and that oauth2.issuer and oauth2.jwks_url
are required when validation is enabled; keep the phrasing concise and add a
short note that requests before the first fetch will trigger the initial JWKS
retrieval.

---

Nitpick comments:
In `@pipeline/inputs/http.md`:
- Around line 315-359: Add the optional oauth2.allowed_clients parameter to both
example configurations so readers can restrict accepted client IDs; update the
YAML under the pipeline.inputs.http block to include oauth2.allowed_clients
(e.g., a comma-separated string or list value alongside oauth2.allowed_audience)
and update the fluent-bit.conf INPUT section to include Oauth2.allowed_clients
with the same format, ensuring the key name matches oauth2.allowed_clients
(YAML) and Oauth2.allowed_clients (fluent-bit.conf) used elsewhere in the doc.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7bedc3be-c395-4752-8481-5dc767d3e1a1

📥 Commits

Reviewing files that changed from the base of the PR and between 55086ff and 2a49033.

📒 Files selected for processing (1)

• pipeline/inputs/http.md

[eschabell]

@patrick-stephens ready for review!