Add tracing headers (or cookies) to the "User login and consent flow" so login service and ui service can link their traces to hydra's traceparent

Question

Add tracing headers (or cookies) to the "User login and consent flow" so login service and ui service can link their traces to hydra's traceparent

denysandriyanov opened this issue 5 months ago · comments

denysandriyanov commented 5 months ago

Preflight checklist

I could not find a solution in the existing issues, docs, nor discussions.
I agree to follow this project's Code of Conduct.
I have read and am following this repository's Contribution Guidelines.
I have joined the Ory Community Slack.
I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

Given: Ory Hydra implements User login and consent flow which also contains login and consent services. These services are used in the user login flow.

When the user login flow is initiated hydra does a redirect first to /login endpoint of login service. Following accept of login hydra does a redirect to /the consent endpoint. Other then that there is /logout endpoint that is involved in logout flow.

Then: Hydra should add trace context to the headers (or cookies?) of above mentioned requests/redirects so login and consent services could get these traces and use them as traceparend and can attach their spans.

Currently, it is only able to trace the request till and including /oauth2/auth. but after when hydra redirects to /login endpoint we are losing the trace (obviously). So if Hydra could add a header with traceparent_id or a cookie with traceparent_id it would help to link everything together

Describe your ideal solution

When hydra starts User login and consent flow in logs we can see
otel=map[span_id:a394e0781b9bd541 trace_id:cbe23a39bad38179a9299472fddba889]

This data should be also added to the headers of requests that is incoming to the /login, /consent, /logout endpoints correspondingly.

Also hydra should be able to read these headers if for example, login service will add transparent header after it accepts the login request and redirects back to hydra, so hydra can read this header and continue the flow utilizing the transparent received.

May be also it can be done through cookies

In this way, it would be possible to have a complete user login and consent flow mapped as one flow.

Expected Benefits
Enhanced traceability throughout the user login and consent flow.
Simplified monitoring and debugging of the entire flow with consolidated trace information.

This enhancement will contribute to a more comprehensive and traceable Hydra user login and consent experience.

Workarounds or alternatives

none

Version

2

Additional Context

No response

Arne Luenser · Answer 1 · Fri Mar 29 2024 00:49:22 GMT+0800 (China Standard Time)

I don't think this is something Hydra is likely to implement. From my understanding, this is a non-standard usage of OpenTelemetry and kind of a corner-case. Please let me know if I'm wrong and this kind of feature is described somewhere in the OpenTelemetry specs.

It should be relatively simple to correlate traces for the individual requests in your observability system through some other means.

Otherwise, you may be able to configure your ingress/proxy to issue a cookie containing the trace ID.