The most scalable and customizable OpenID Certified™ OpenID Connect and OAuth Provider on the market. Become an OpenID Connect and OAuth2 Provider over night. Broad support for related RFCs. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
Hydra already redacts some fields for you, such as "cookie". There are other fields that should (according to our company guidelines) also be redacted, such as:
headers:
cf-connecting-ip
forwarded
x-forwarded-for
which contain IP address, which can be deemed as sensitive.
I have searched the Hydra docs and the issues in this repo and it does not appear that it's possible to choose what fields get redacted. In this particular case, it would be great to redact more fields by default (rather than the existing config option of showing the sensitive data).
Describe your ideal solution
Configuration option for Hydra to list other fields that should be redacted in addition to the default ones. This list would be merged with the internal one that contains "cookies", "query", etc..
Workarounds or alternatives
If there is a way of doing this that's undocumented in Hydra, that would be great to know :). This data could be scrubbed elsewhere potentially, like in DataDog for example, but since you're already doing redaction and just need to expose some config to add to it, I think it's a reasonable request?
Preflight checklist
Ory Network Project
No response
Describe your problem
Hydra already redacts some fields for you, such as "cookie". There are other fields that should (according to our company guidelines) also be redacted, such as: headers: cf-connecting-ip forwarded x-forwarded-for
which contain IP address, which can be deemed as sensitive.
I have searched the Hydra docs and the issues in this repo and it does not appear that it's possible to choose what fields get redacted. In this particular case, it would be great to redact more fields by default (rather than the existing config option of showing the sensitive data).
Describe your ideal solution
Configuration option for Hydra to list other fields that should be redacted in addition to the default ones. This list would be merged with the internal one that contains "cookies", "query", etc..
Workarounds or alternatives
If there is a way of doing this that's undocumented in Hydra, that would be great to know :). This data could be scrubbed elsewhere potentially, like in DataDog for example, but since you're already doing redaction and just need to expose some config to add to it, I think it's a reasonable request?
Version
oryd/hydra:v1.11.10
Additional Context
No response