Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure JWT authenticator not to logging sensitive data #1115

Open
4 of 6 tasks
StanislavStefanov opened this issue Jun 27, 2023 · 3 comments
Open
4 of 6 tasks

Configure JWT authenticator not to logging sensitive data #1115

StanislavStefanov opened this issue Jun 27, 2023 · 3 comments
Labels
feat New feature or request.

Comments

@StanislavStefanov
Copy link

Preflight checklist

Describe your problem

If the authenticator fails to validate the provided JWT token the returned error is enriched with the contents of the jwt claims from the token. The claims contain user personal data such as names and email address. According to our policy such information is treated as sensitive data and we should not log it. We need a way to configure whether the error should be enriched or not.

Describe your ideal solution

The suggested approach is to have a new configuration value of type bool within AuthenticatorOAuth2JWTConfiguration which would tell Oathkeeper to enrich the errors with the data from the jwt claims or not. The default value of the new configuration can be 'true' in order to keep the current behaviour and in cases where the enrichement of the message is not desired it could be overridden to 'false'.

Workarounds or alternatives

Based on the current approach I couldnt think of other approach that can keep the current default behaviour and provide the new functionality

Version

Currently we use v0.38.25-beta.1, but will be upgrading to the latest version

Additional Context

No response

@StanislavStefanov StanislavStefanov added the feat New feature or request. label Jun 27, 2023
Copy link

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

  • open a PR referencing and resolving the issue;
  • leave a comment on it and discuss ideas on how you could contribute towards resolving it;
  • leave a comment and describe in detail why this issue is critical for your use case;
  • open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️

@github-actions github-actions bot added the stale Feedback from one or more authors is required to proceed. label Jun 27, 2024
@benfielden-onx
Copy link

We just discovered this in our logs as well as we flipped on our implementation and then started getting compliance alerts for our logs containing email and names.

@StanislavStefanov Did you ever find a workaround?

@github-actions github-actions bot removed the stale Feedback from one or more authors is required to proceed. label Jul 24, 2024
@StanislavStefanov
Copy link
Author

@benfielden-onx This issue is becoming increasingly important for our project but unfortunately we haven't found any workaround yet. It is a pity that such a small change requires so much time to be implemented. It looks like it is up to us, the users of Oathkeeper to contribute this feature.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feat New feature or request.
Projects
None yet
Development

No branches or pull requests

2 participants