Propagate authorization header or user identity information using Otel java

[buchireddy]

Use case

In the microservices world, we need to propagate either Authorization header/JWT token or some other header/cookie from one service to the other, if we want to carry the context of the actual end-user who made a given request. It's often useful and required for auditing, fine-grained authorization and least privilege implementations.

Idea

For java services, propagating a JWT token across services needs code changes, pretty much like trace context propagation. Since Otel java is propagating a bunch of information, does it make sense to propagate this as well or is it totally an out-of-place idea (it could totally be)?
Even if the JWT propagation can't be done in Otel java library, does it make sense to reuse some parts of Otel java code to do the propagation so that people don't have to write any code to get this working?
Open for brainstorming and hearing different ideas.

[anuraaga]

Hi @buchireddy - I agree that OpenTelemetry context is a good candidate for propagating an authorization token. Our Context isn't a trace context, it's more generic for anything propagated across a request - a "Security Context" is also a common type of context and seems to be what you need here.

A TextMapPropagator that extracts a Authorization header, validates the JWT, and inserts it into Context as some structure (e.g., DecodedJwt from java-jwt) and serializes into Authorization, you'd get propagation that works with any HTTP framework supported by our instrumentation without any other code changes.

[buchireddy]

@anuraaga Can this go into the main otel-java or should it be treated as an additional propagator like mentioned here: https://github.com/open-telemetry/opentelemetry-specification/blob/master/specification/context/api-propagators.md?

[jkwatson]

I don't think this is something we should put into the main otel-java repository. I could possibly see it in the https://github.com/open-telemetry/opentelemetry-java-contrib repository.

[anuraaga]

@buchireddy Ah - I was talking generally in terms of how to use Context in an application. I think there are too many ways to handle Authorization header (JWT, basic auth, etc) for it to really make sense as an OpenTelemetry component - it's not telemetry. But it's a good approach in apps, or server frameworks I think.

[buchireddy]

Cool. Thanks for your answers. We can probably add it to the https://github.com/open-telemetry/opentelemetry-java-contrib like @jkwatson mentioned. Will probably raise the PR against that repo if I can contribute.

Should this discussion be resolved?

[anuraaga]

Yeah think so - though not sure if non-question type of discussions have a resolved state :) But no worries if not.