[TT-14494] improve error logging for JWKS URL handling #7593

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

NurayAhmadova merged 11 commits into master from TT-14494-unclear-gateway-error-logs-when-handling-jwks-urls

Dec 17, 2025

Merged

[TT-14494] improve error logging for JWKS URL handling #7593

[TT-14494] improve error logging for JWKS URL handling - comments

probelabs / Visor: security failed Dec 17, 2025 in 2m 51s

🚨 Check Failed

security check failed because fail_if condition was met.

Details

📊 Summary

Total Issues: 5
Critical Issues: 3
Error Issues: 1
Warning Issues: 1

🔍 Failure Condition Results

Failed Conditions

global_fail_if: output.issues && output.issues.some(i => i.severity === 'critical' || i.severity === 'error')
- Severity: ❌ error

Issues by Category

Security (4)

🚨 gateway/mw_external_oauth.go:220 - The jwtValidation.Source field, which can contain a base64-encoded secret for JWT signing (e.g., for HMAC algorithms), is logged in cleartext if base64 decoding fails. This can expose sensitive credentials in the logs.
🚨 gateway/mw_jwt.go:245 - The cachedAPIDef.JWTSource field, which can contain a base64-encoded secret for JWT signing (e.g., for HMAC algorithms), is logged in cleartext if base64 decoding fails. This can expose sensitive credentials in the logs.
🚨 gateway/mw_jwt.go:344 - The config.JWTSource field, which can contain a base64-encoded secret for JWT signing (e.g., for HMAC algorithms), is logged in cleartext if base64 decoding fails. This can expose sensitive credentials in the logs.
⚠️ gateway/log_helpers.go:113 - The jwkURL is logged directly in multiple error messages within the logJWKError function. URLs, especially for authentication-related endpoints like JWKS, can sometimes contain sensitive information such as access tokens in query parameters. Logging the full URL could expose this information.

Logic (1)

❌ system:0 - Global failure condition met: output.issues && output.issues.some(i => i.severity === 'critical' || i.severity === 'error')

Powered by Visor from Probelabs

💡 TIP: You can chat with Visor using /visor ask <your question>

Annotations

Check failure on line 220 in gateway/mw_external_oauth.go

probelabs / Visor: security

security Issue

The `jwtValidation.Source` field, which can contain a base64-encoded secret for JWT signing (e.g., for HMAC algorithms), is logged in cleartext if base64 decoding fails. This can expose sensitive credentials in the logs.

Raw output


            Avoid logging the raw `JWTSource`. Instead, log a generic error message or a sanitized version of the source (e.g., its type or length).

```go
k.Logger().WithError(err).Error("JWKS source decode failed: input is not a valid base64 string")
```

Check failure on line 245 in gateway/mw_jwt.go

probelabs / Visor: security

security Issue

The `cachedAPIDef.JWTSource` field, which can contain a base64-encoded secret for JWT signing (e.g., for HMAC algorithms), is logged in cleartext if base64 decoding fails. This can expose sensitive credentials in the logs.

Raw output


            Avoid logging the raw `JWTSource`. Instead, log a generic error message or a sanitized version of the source (e.g., its type or length).

```go
k.Logger().WithError(err).Error("JWKS source decode failed: input is not a valid base64 string")
```

Check failure on line 344 in gateway/mw_jwt.go

probelabs / Visor: security

security Issue

The `config.JWTSource` field, which can contain a base64-encoded secret for JWT signing (e.g., for HMAC algorithms), is logged in cleartext if base64 decoding fails. This can expose sensitive credentials in the logs.

Raw output


            Avoid logging the raw `JWTSource`. Instead, log a generic error message or a sanitized version of the source (e.g., its type or length).

```go
k.Logger().WithError(err).Error("JWKS source decode failed: input is not a valid base64 string")
```

Check warning on line 116 in gateway/log_helpers.go

probelabs / Visor: security

security Issue

The `jwkURL` is logged directly in multiple error messages within the `logJWKError` function. URLs, especially for authentication-related endpoints like JWKS, can sometimes contain sensitive information such as access tokens in query parameters. Logging the full URL could expose this information.

Raw output


            Sanitize the URL before logging it. Parse the URL and log only the scheme, host, and path, omitting the query string. Alternatively, implement a filtering mechanism to remove known sensitive query parameters.

Example:
```go
	parsedURL, parseErr := url.Parse(jwkURL)
	sanitizedURL := jwkURL
	if parseErr == nil {
		parsedURL.RawQuery = ""
		parsedURL.Fragment = ""
		sanitizedURL = parsedURL.String()
	}
	logger.WithError(err).Errorf("JWKS endpoint resolution failed: invalid or unreachable host %s", sanitizedURL)
```

View more details on probelabs