For the API rate limiting measurement project, the oauth_type information from the API is needed in webrequest.
For this to happen we need:
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Open | None | T399291 Epic: API Rate Limiting Architecture | |||
| Open | None | T412585 Epic: Enforce API rate limits (WE5.1.3c) | |||
| Open | None | T417779 rest gateway: enforce rate limits (stage two) | |||
| Resolved | daniel | T417778 rest gateway: enforce rate limits (stage one) | |||
| Duplicate | None | T418458 MW/API + haproxy: capture `x-wmf-auth-type` in webrequest data set |
Good for me! Just let me know as soon as you have the "official" header name so I can make the relevant changes in HAProxy logging and HaproxyKafka configuration
The API gateway to send a header with the requested info (naming to be ddefined)
We could do this in the gateway, but so far we are not doing anything with oauth1 there, we are just processing jwts.
I was assuming that haproxy already had this info, because it's used to generate the value of x-trusted-request. Could haproxy expose the auth type directly via the webrequest log stream?
As to the field name: I think it should be auth_type. If the gateway emits a header, I'd call it x-wmf-auth-type.
Do you want to differentiate between owner-only and normal access tokens? (For OAuth 2; I don't think it's possible for OAuth 1.) If so, maybe it makes sense to put the logic into Envoy to keep the logic related to JWT internals in one place. (AIUI the edge will validate the JWT signature but not do much else.)