search

mintel / dex-k8s-authenticator

A Kubernetes Dex Client Authenticator
MIT License
371 stars 146 forks source link

Expose user IP address in the logs #187

Open Dentrax opened 2 years ago

Dentrax commented 2 years ago

Currently, we are only exposing the following fields in the logs:

{
  "iss": "https://k8s.example.com",
  "sub": "...",
  "aud": "example-app",
  "exp": 1640342247,
  "iat": 1640255847,
  "at_hash": "...",
  "email": "foo@test.com",
  "email_verified": true,
  "groups": [
    ""
  ],
  "name": "Foo"
}

It would be great to pass user's IP address during the authentication process. What do you think?

Dentrax commented 2 years ago

I'm not sure whether it's the correct place to ask this but should we handle this in the dex/server/oauth2.go instead? Any thoughts @nabokihms? Should we move this issue to there?

nabokihms commented 2 years ago

Hello there. There are a couple of obstacles that make implementing this feature a little bit harder in Dex:

  1. Dex should know the real IP addresses of clients, so we have to add options like real_ip_header and trusted_networks etc. I remember some opened issues with the intention of adding clients addresses to dex logs, but still no progress. As for now, Dex is not aware of clients ips.

  2. The fields from the top post are called claims and represent user attributes (attributes of the token holder) and some meta-information. Per oidc spec, there is a limited set of standard claims, which does not include the IP address. We have a pinned issue about the middleware layer, which should provide the ability to add custom claims to the token.

After solving these two puzzles, we will be able to move forward with your idea.