search

apollographql / router

A configurable, high-performance routing runtime for Apollo Federation 🚀
https://www.apollographql.com/docs/router/
Other
813 stars 271 forks source link

Ability to redact header values in JWT authentication info log #6200

Open dupham-indeed opened 2 weeks ago

dupham-indeed commented 2 weeks ago

Is your feature request related to a problem? Please describe.

Currently, once JWT is configured and the router spin up, the following info log will be printed out at startup:

2024-10-28T15:12:08.984490Z INFO  JWT authentication using JWKSets from jwks=[JwksConf { url: "<jwk_url>", poll_interval: 60s, issuer: Some("<issuer_url>"), algorithms: Some([ES256]), headers: [Header { name: "x-client-id", value: "<client_id_value>" }, Header { name: "x-api-key", value: "<api_key_value>" }, Header { name: "x-client-version", value: "<client_version_value>" }] }]

For our situation, is considered a sensitive value and shouldn't be printed out in the logs, which can be viewed in observability tools such as Datadog. We would like to have the ability to have that value redacted for security concerns.

Describe the solution you'd like

One possibility

authentication:
  router:
    jwt:
      jwks:
        - url: <jwk_url>
          headers:
            - name: x-api-key
              value: <api_key_value>
              is_sensitive: true # (default value is false)

Then the output will look like

2024-10-28T15:12:08.984490Z INFO  JWT authentication using JWKSets from jwks=[JwksConf { url: "<jwk_url>", poll_interval: 60s, issuer: Some("<issuer_url>"), algorithms: Some([ES256]), headers: [Header { name: "x-client-id", value: "<client_id_value>" }, Header { name: "x-api-key", value: "redacted" }, Header { name: "x-client-version", value: "<client_version_value>" }] }]

Describe alternatives you've considered

A clear and concise description of any alternative solutions or features you've considered.

Additional context

Add any other context or screenshots about the feature request here.