Skip to content

[TT-15354]: Improve logging in JWT Middleware #7528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
imogenkraak merged 3 commits into from
Nov 12, 2025
Merged

[TT-15354]: Improve logging in JWT Middleware #7528

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
390ada8
Improve logging
imogenkraak Nov 9, 2025
8d0f155
Merge branch 'master' into TT-15354-improve-jwt-logging
imogenkraak Nov 10, 2025
36b0e5b
Merge branch 'master' into TT-15354-improve-jwt-logging
imogenkraak Nov 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions gateway/mw_jwt.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -937,8 +937,10 @@
}

oauthClientID := ""
// Get the OAuth client ID if available:
// Get the OAuth client ID if available.
// This step is skipped for external IDPs if IDPClientIDMappingDisabled is set to true.
if !k.Spec.IDPClientIDMappingDisabled {
k.Logger().Debug("IDP client ID mapping enabled, attempting to retrieve OAuth client ID from claims.")
oauthClientID = k.getOAuthClientIDFromClaim(claims)
}

Expand Down Expand Up @@ -981,10 +983,11 @@
if err := k.ApplyPolicies(&session); err != nil {
return errors.New("failed to apply policies in session metadata: " + err.Error()), http.StatusInternalServerError
}
}

Check warning on line 986 in gateway/mw_jwt.go

View check run for this annotation

probelabs / Visor: connectivity

performance Issue 

The log level for a failed OAuth client lookup has been raised from `Debug` to `Warn`. This log is on the critical path for every authenticated API request. For common configurations using external Identity Providers, this failure is an expected event. Logging it as a warning for every request can create significant I/O overhead and log volume under high traffic, degrading gateway performance.
Raw output 
Revert the log level from `Warnf` back to `Debugf` to avoid performance degradation under high load. A warning for a frequent and expected event in a hot path is not ideal. Consider logging a single warning during API definition loading if a sub-optimal configuration is detected, rather than on every request.
}
} else {
k.Logger().WithError(err).Debug("Couldn't get OAuth client")
k.Logger().WithError(err).

Check warning on line 989 in gateway/mw_jwt.go

View check run for this annotation

probelabs / Visor: security

security Issue 

The log level for an error that could potentially contain sensitive data has been elevated from `Debug` to `Warn`. The error originates from a function that unmarshals an `OauthClient` object, which contains a `ClientSecret`. If the stored client data is malformed, the JSON unmarshal error could include fragments of sensitive data. Logging this at the `Warn` level increases the risk of exposing this data in production logs.
Raw output 
To mitigate the risk of leaking sensitive data, log a generic warning message without the raw error object. The detailed error can remain at the `Debug` level for troubleshooting purposes, which is less likely to be enabled in production environments.
Warnf("Failed to retrieve OAuth client. For external IDPs, consider disabling IDP client ID mapping for better performance.")
}
}

Expand Down
Loading