oauth2. Hide secrets in endpoint_params.

[dezzzm]

When configuring oauth2 with endpoint_params.grant_type=password, you have to specify the login and password of the account.
This information is displayed in plain text and is not hidden in any way either in the configuration or when logging into the web interface (http://ip:9115/config or http://ip:9115/logs?id=1).

Example:

modules:
    http_2xx_oauth_dex:
        prober: http
        timeout: 5s
        http:
            valid_status_codes:
                - 200
            valid_http_versions:
                - HTTP/1.1
                - HTTP/2.0
            preferred_ip_protocol: ip4
            ip_protocol_fallback: true
            headers:
                user-agent: Blackbox Exporter/0.27.0, Chrome
            oauth2:
                client_id: test
                client_secret_file: /etc/blackbox_exporter/secrets/secret_http_2xx_oauth_dex
                token_url: https://keycloak.k8s.test.local/realms/test/protocol/openid-connect/token
                endpoint_params:
                    grant_type: password
                    password: <password in plain text>
                    username: <username in plain text>

Please add endpoint_params_file or password_file similar to client_secret_file to hide sensitive information.

[endesapt]

I've read the code that is responsible for handling oauth, the configuration of it is described in
github.com/prometheus/common package

type OAuth2 struct {
	ClientID         string `yaml:"client_id" json:"client_id"`
	ClientSecret     Secret `yaml:"client_secret" json:"client_secret"`
	ClientSecretFile string `yaml:"client_secret_file" json:"client_secret_file"`
	// ClientSecretRef is the name of the secret within the secret manager to use as the client
	// secret.
	ClientSecretRef string            `yaml:"client_secret_ref" json:"client_secret_ref"`
	Scopes          []string          `yaml:"scopes,omitempty" json:"scopes,omitempty"`
	TokenURL        string            `yaml:"token_url" json:"token_url"`
	EndpointParams  map[string]string `yaml:"endpoint_params,omitempty" json:"endpoint_params,omitempty"`
	TLSConfig       TLSConfig         `yaml:"tls_config,omitempty"`
	ProxyConfig     `yaml:",inline"`
}

which when creating request next passes it to golang.org/x/oauth2 package here
return client, config.TokenSource(ctx), nil
so it is not on the blackbox exporter side.
as u can see EnpointParams is just map of strings so it is not "hiding" anything like BasicAuth password for example
i guess u can address this problem to prometheus?

Or maybe blackbox exporter config can add something like

HTTPProbe struct{
   ...
   MaskHTTPClientConfig bool `yaml:mask_http_client_config`
}

which obviously will "hide" httpConfig in case it has any creadentials in its configuration which are not hided initially

I am not sure if we should ping maintainers or they will read this and say anythyng about it)