Add tracing to outbound oauth introspection requests

ory · Feb 25, 2021 · daf44cb · daf44cb
1 parent fe013c2
commit daf44cb
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 0 deletions.
diff --git a/go.mod b/go.mod
@@ -36,6 +36,7 @@ require (
 	github.com/lib/pq v1.3.0
 	github.com/mattn/goveralls v0.0.6
 	github.com/mitchellh/copystructure v1.0.0
+	github.com/opentracing/opentracing-go v1.2.0
 	github.com/ory/analytics-go/v4 v4.0.1
 	github.com/ory/cli v0.0.10
 	github.com/ory/fosite v0.36.1

diff --git a/go.sum b/go.sum
@@ -1163,6 +1163,8 @@ github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFSt
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.1.1-0.20190913142402-a7454ce5950e h1:fI6mGTyggeIYVmGhf80XFHxTupjOexbCppgTNDkv9AA=
 github.com/opentracing/opentracing-go v1.1.1-0.20190913142402-a7454ce5950e/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
+github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
+github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5 h1:ZCnq+JUrvXcDVhX/xRolRBZifmabN1HcS1wrPSvxhrU=
 github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5/go.mod h1:/wsWhb9smxSfWAKL3wpBW7V8scJMt8N8gnaMCS9E/cA=
 github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=

diff --git a/pipeline/authn/authenticator_oauth2_introspection.go b/pipeline/authn/authenticator_oauth2_introspection.go
@@ -11,6 +11,9 @@ import (
 
 	"github.com/dgraph-io/ristretto"
 
+	"github.com/opentracing/opentracing-go"
+	"github.com/opentracing/opentracing-go/ext"
+
 	"github.com/pkg/errors"
 	"golang.org/x/oauth2/clientcredentials"
 
@@ -125,6 +128,29 @@ func (a *AuthenticatorOAuth2Introspection) tokenToCache(config *AuthenticatorOAu
 	}
 }
 
+func (a *AuthenticatorOAuth2Introspection) traceRequest(ctx context.Context, req *http.Request) func(){
+	tracer := opentracing.GlobalTracer()
+	if tracer == nil {
+		return func(){}
+	}
+
+	parentSpan := opentracing.SpanFromContext(ctx)
+	opts := make([]opentracing.StartSpanOption, 0, 1)
+	if parentSpan != nil {
+		opts = append(opts, opentracing.ChildOf(parentSpan.Context()))
+	}
+
+	urlStr := req.URL.String()
+	clientSpan := tracer.StartSpan(req.Method + " " + urlStr, opts...)
+
+	ext.SpanKindRPCClient.Set(clientSpan)
+	ext.HTTPUrl.Set(clientSpan, urlStr)
+	ext.HTTPMethod.Set(clientSpan, req.Method)
+
+	tracer.Inject(clientSpan.Context(), opentracing.HTTPHeaders, opentracing.HTTPHeadersCarrier(req.Header))
+	return clientSpan.Finish
+}
+
 func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, session *AuthenticationSession, config json.RawMessage, _ pipeline.Rule) error {
 	cf, err := a.Config(config)
 	if err != nil {
@@ -155,7 +181,14 @@ func (a *AuthenticatorOAuth2Introspection) Authenticate(r *http.Request, session
 		}
 		// set/override the content-type header
 		introspectReq.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+		// add tracing
+		closeSpan := a.traceRequest(r.Context(), introspectReq)
+
 		resp, err := a.client.Do(introspectReq.WithContext(r.Context()))
+
+		// close the span so it represents just the http request
+		closeSpan()
 		if err != nil {
 			return errors.WithStack(err)
 		}