You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm currently in the process of integrating otel via the agent into a Keycloak IdP system, and I'm wondering about some best practices wrt header propagation. The IdP lives at the boundary between our internal systems, as well as integrating several external systems for purposes of identity brokering.
When sending HTTP requests to systems that live in our own infrastructure, I want to send the X-B3-* headers to those systems, so I enabled the instrumentation of the HTTP client, and it works like a charm in the test setup. Now I'm wondering whether it is good practice to simply send those headers to external systems (OIDC providers like Google) when sending requests there. Intuitively, it feels wrong to do this, but I wasn't able to find any configuration that would make the agent decide whether or not to send the headers, based on the host of the outgoing HTTP request.
For the inverse, the system also receives requests from internal and external systems. For internal requests, I would want to consume the incoming headers, and for external requests, I would like to ignore them. For this, the most straightforward way seems to be removing the headers in the load balancer handling external requests, and leaving them intact on the internal load balancer.
Would this be considered "best", or even "good" practice, or should I just always send (and always accept) the headers. I'm especially wary of accepting them from all sources, because this seems to me like a Denial of Service waiting to happen, when a malicious party starts sending the same trace ID for all their requests, which seems like it would be bad for systems handling the traces later on.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I'm currently in the process of integrating otel via the agent into a Keycloak IdP system, and I'm wondering about some best practices wrt header propagation. The IdP lives at the boundary between our internal systems, as well as integrating several external systems for purposes of identity brokering.
When sending HTTP requests to systems that live in our own infrastructure, I want to send the X-B3-* headers to those systems, so I enabled the instrumentation of the HTTP client, and it works like a charm in the test setup. Now I'm wondering whether it is good practice to simply send those headers to external systems (OIDC providers like Google) when sending requests there. Intuitively, it feels wrong to do this, but I wasn't able to find any configuration that would make the agent decide whether or not to send the headers, based on the host of the outgoing HTTP request.
For the inverse, the system also receives requests from internal and external systems. For internal requests, I would want to consume the incoming headers, and for external requests, I would like to ignore them. For this, the most straightforward way seems to be removing the headers in the load balancer handling external requests, and leaving them intact on the internal load balancer.
Would this be considered "best", or even "good" practice, or should I just always send (and always accept) the headers. I'm especially wary of accepting them from all sources, because this seems to me like a Denial of Service waiting to happen, when a malicious party starts sending the same trace ID for all their requests, which seems like it would be bad for systems handling the traces later on.
Beta Was this translation helpful? Give feedback.
All reactions