OTLP/HTTP receiver does not return a Status message when any Authenticator extension fails authentication

[noctchillin]

Component(s)

receiver/otlp

What happened?

Describe the bug

If processing for an OTLP/HTTP request fails, it should include the failure message in the response. "The Status.message field SHOULD contain a developer-facing error message as defined in Status message schema." - https://opentelemetry.io/docs/specs/otlp/#failures-1

This does not occur when a request fails because of an Authenticator extension.

Steps to reproduce

Setup any Authenticator extension for the OTLP/HTTP receiver. Attempt to send traces/metrics/logs to this endpoint from a client OTLP/HTTP exporter using default settings so that authentication is guaranteed to fail. (I am using a Java client for this example, but the behavior should be the same regardless of SDK)

As this repository does not contain any auth extension, I am using the basicauthextension from the contrib repository as an example, but the issue is present in the OTLP receiver code.

What did you expect to see?

The status message should be included in the response to the OTLP/HTTP exporter

What did you see instead?

The status message is not included in the response, the client exporter reports that it cannot be parsed.

[otel.javaagent 2025-03-18 13:41:02:820 -0500] [OkHttp http://localhost:4318/...] WARN io.opentelemetry.exporter.internal.http.HttpExporter - Failed to export spans. Server responded with HTTP status code 401.
Error message: Unable to parse response body, HTTP status message: Unauthorized

Note that when the client uses GRPC protocol, the error message is present in the response to the client exporter.

[otel.javaagent 2025-03-18 13:43:56:690 -0500] [OkHttp http://localhost:4317/...] WARN io.opentelemetry.exporter.internal.grpc.GrpcExporter - Failed to export spans. Server responded with gRPC status code 16. 
Error message: no basic auth provided

Collector version

v0.122.0

Environment information

No response

OpenTelemetry Collector configuration

receivers:
  otlp:
    protocols:
      grpc:
        auth:
          authenticator: basicauth/server
      http:
        auth:
          authenticator: basicauth/server
exporters:
  debug:
    verbosity: normal
        

extensions:
  basicauth/server:
    htpasswd: 
      inline: |
        abc:123



service:
  extensions: [basicauth/server]
  pipelines:
    traces:
      receivers: [otlp]
      processors: []
      exporters: [debug]
    metrics:
      receivers: [otlp]
      processors: []
      exporters: [debug] 
    logs:
      receivers: [otlp]
      processors: []
      exporters: [debug]

Log output

Additional context

In the code that handles this behavior in config/confighttp/confighttp.go, you can see that the error and respective message returned from the server.Authenticate call is ignored.

opentelemetry-collector/config/confighttp/confighttp.go

Lines 540 to 557 in c11fa87

	func authInterceptor(next http.Handler, server extensionauth.Server, requestParams []string) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	sources := r.Header
	query := r.URL.Query()
	for _, param := range requestParams {
	if val, ok := query[param]; ok {
	sources[param] = val
	}
	}
	ctx, err := server.Authenticate(r.Context(), sources)
	if err != nil {
	http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
	return
	}
	next.ServeHTTP(w, r.WithContext(ctx))
	})
	}

This should be handled in a similar way as errors are handled in receiver/otlpreceiver/otlphttp.go , in which the error is included in a Status object, which is then marshalled using the correct encoding before being written to the response.

opentelemetry-collector/receiver/otlpreceiver/otlphttp.go

Lines 183 to 184 in f53e7d5

	// writeError encodes the HTTP error inside a rpc.Status message as required by the OTLP protocol.
	func writeError(w http.ResponseWriter, encoder encoder, err error, statusCode int) {