x-requext-id header propagation in keycloak
I am using keycloak to implement OAuth2 code authorization flow in a kubernetes cluster governed by an API gatware Ambassador, I am using Istio Service mesh to add all the tracability, mTLS features to my cluster. One of which is Jaeger which requires all the services to forward x-request-id header in order to link the spans into a specific trace.
When request is sent, Istio's proxy attached to ambassador will generate the x-request-id and forward the request keycloak for authorization, when the results are sent back to the ambassador, the header is dropped and therefore, the istio proxy of keycloak will be generating a new x-header-id. The following image shows the problem:
Here is a photo of the trace where I lost the x-request-id:
Is there a way I can force Keycloak to forward the x-request-id header if passed to it?
Update here is the environment variables (ConfigMap) associated with Keycloak:
kind: ConfigMap
apiVersion: v1
metadata:
name: keycloak-envars
data:
KEYCLOAK_ADMIN: "admin"
KC_PROXY: "edge"
KC_DB: "postgres"
KC_DB_USERNAME: "test"
KC_DB_DATABASE: "keycloak"
PROXY_ADDRESS_FORWARDING: "true"
It seems keycloak have the opentelemetry plugin that is disabled by default. Enabling it allows to send trace ids to Jaeger, you can enable it by setting KC_OTEL to True. For more information look into the doc.
- Unauthorized to Delete Tweet with OAuth2.0 path on free-tier developer account
- How to authenticate resource owner with JWT token on Spring Authorization Server for requests to /oauth2/authorize?
- Headless OAuth2 Token Refresh Fails with Spring boot and MSAL4J
- Springboot Keycloak Admin add role or reset password error
- request to token url returning 400 bad request for google oauth2?
- Spring Boot Oauth Client & Authorization Server + React implementation
- Dotnet-Isolated Azure Functions - how to access HttpContext
- Enabling and Configuring Password History on Cognito
- Where to store the refresh token on the Client?
- Keycloak-Remix integration: where should I place the checks?
- Using PHPMailer when already have an access token
- Meta /media_publish return 500 unknown error
- Why is the IDP responding with Invalid Signature for a client assertion JWT
- Securing an azure API with oauth: Able to retrieve a token but token is invalid
- Spring Security 5.2 Password Flow
- Why Doesn't my Authorization Header need "Bearer"?
- Add role based authentication using next-auth in NextJS
- No qualifying bean of type 'org.springframework.security.oauth2.client.registration.ClientRegistrationRepository' available
- JakartaEE 10 OpenIdAuthenticationMechanism failed with Auth0
- Aws Cognito Oauth2: Refresh token rotation
- How to securely store api credentials in a native appliaction in a cross-platform manner
- KeyCloak Java Service Account Create User
- Get Google business reviews server side
- SpringBoot OAuth2 with Keycloak not returning mapped Roles as Authorities
- What is the purpose of the "access_token=" parameter when downloading a file from Google Drive?
- java.lang.IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer
- How do I implement social login with GitHub accounts?
- portainer keycloak 20 oauth login "unauthorized" / "Unable to login via OAuth"
- Google Oauth2 redirect_uri_mismatch when send request from localhost
- Google OAuth 2 authorization - Error: redirect_uri_mismatch