search

open-telemetry / semantic-conventions

Defines standards for generating consistent, accessible telemetry across a variety of domains
Apache License 2.0
218 stars 142 forks source link

Semantic conventions for JWT tokens. #1190

Open hsblhsn opened 2 years ago

hsblhsn commented 2 years ago

What are you trying to achieve?

I want to log my jwt token data into my trace and spans. But there is not semantic naming conventions to that. I found enduser.id but that is for storing only the end user. While a jwt token consists of lot of things like expiration, issuer, audience e.t.c.

What did you expect to see?

I want to see a standardized naming convention for jwt tokens.

spencerwilson commented 2 years ago

The spans that would contain this info, what operation in your application would they correspond to? For example, would you just put this data on the top-level SERVER-type spans? Or somewhere else?

I’m reminded a bit of the enduser namespace: https://github.com/open-telemetry/semantic-conventions/blob/5077fd5ccf64e3ad0821866cc80d77bb24098ba2/docs/general/attributes.md#general-identity-attributes

edit: The enduser namespace is replaced by user as of May 2024; see https://github.com/open-telemetry/semantic-conventions/blob/5077fd5ccf64e3ad0821866cc80d77bb24098ba2/docs/attributes-registry/user.md

SergeyKanzhelev commented 2 years ago

Can you list what data you want to store and the scenarios for using it? I wonder if those are reusable beyond the JWT token scenario or specific to it

hsblhsn commented 2 years ago

This is what I am using right now:

const (
    AttributeKID             = attribute.Key("jwt.headers.kid") // public key id.
    AttributeID              = attribute.Key("jwt.claims.jti") // token id.
    AttributeIssuer          = attribute.Key("jwt.claims.iss") // issuer.
    AttributeSubject         = attribute.Key("jwt.claims.sub") // subject (user_id).
    AttributeAudience        = attribute.Key("jwt.claims.aud") // audience (my domain).
    AttributeAuthorizedParty = attribute.Key("jwt.claims.azp") // Authorized party (client_id).
    AttributeExpiresAt       = attribute.Key("jwt.claims.exp") // Expiry.
    AttributeNotBefore       = attribute.Key("jwt.claims.nbf") // Not before.
    AttributeIssuedAt        = attribute.Key("jwt.claims.iat") // Issued At.
    AttributePurpose         = attribute.Key("jwt.claims.purpose") // Purspose of the token.
    AttributeScopes          = attribute.Key("jwt.claims.scopes") // Scopes and permissions.
)

Here I am using the standard claim names of the jwt spec. I believe we can go further and use readable attributes and reuse them whenever possible. The above code is my very personal implementation.

lmolkova commented 3 days ago

related #1172