This repository was archived by the owner on Dec 7, 2020. It is now read-only.
Added opentracing jaeger middleware #643
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Why does this introduce so many new dependencies? @sam-burrell it's security software, does it need all that? |
Louketo has a bug revolving around this PR: coreos/go-oidc#97 essentially, the JWT verification function first checks the claims of the JWT are valid (including expiry times), then checks the signature of the token is valid. Louketo checks the response of this and returns a custom error if the token has expired to allow the auth middleware to use a refresh token to regenerate an access token. Unfortunately, the access token it generates uses the user context for the incoming request. This user context is parsed from the access token JWT but is not verified, meaning it is blindly trusted. Louketo will then regenerate a correct accessToken from Keycloak, which will be valid and have the correct claim/scopes as generated in Keycloak. I think the issue is that for the rest of the request, it has this new token in the context but still has the leftover rubbish user context parsed from the fake user we injected earlier.
Prevent privilege escalations through invalid JWTs
This results in 401s even for expired tokens
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added opentracing jaeger middleware
Summary
Discussion here: https://groups.google.com/forum/#!topic/louketo/Dach4U_Iza8
Proposal
Introduce a flag to enable opentracing, under this flag:
Write some middleware to add extraction and injection of traces with some basic debug tags
Initialise a jaeger client to report spans
Type
[] Bug fix
[] Feature request
[x] Enhancement
[] Docs
Why?
Keycloak itself uses wildfly. Wildfly introduced support for open tracing https://wildfly.org/news/tags/wildfly/page/2/. There is talk of introducing support to Keycloak
It would be good see the auth flow through opentracing for debugging.
For us, we would like to integrate the gatekeeper into our auth flow for debugging.
Requirements
Configured using the standard jaeger client env variables
How to try it?
Use jaeger-all-in-one https://www.jaegertracing.io/docs/1.18/getting-started/ to test locally.
Documentation
Can write this as needed.
Additional Information
I can't see a clean way the proxy closes so right now this is not cleanly closing the jaeger client. Is cleanly shutting down also something worth thinking about?
Checklist:
Happy to help with anything the further this.