Auth: Add tracing to auth clients and AuthToken service (#107878)

* Add tracing to auth clients + authtoken svc * Fix span names * Fix ext_jwt.go * Fix idimpl/service * Update wire_gen.go * Add tracing to JWT client * Lint
2025-08-02 06:42:13 +08:00 · 2025-07-10 15:41:00 +02:00
parent 01269c5dd1
commit 1f3dc0533c
23 changed files with 205 additions and 63 deletions
--- a/pkg/services/auth/idimpl/service.go
+++ b/pkg/services/auth/idimpl/service.go
@ -8,6 +8,7 @@ import (

 	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/prometheus/client_golang/prometheus"
+	"go.opentelemetry.io/otel/trace"
 	"golang.org/x/sync/singleflight"

 	authnlib "github.com/grafana/authlib/authn"
@ -32,18 +33,18 @@ var _ auth.IDService = (*Service)(nil)

 func ProvideService(
 	cfg *setting.Cfg, signer auth.IDSigner,
-	cache remotecache.CacheStorage,
-	authnService authn.Service,
-	reg prometheus.Registerer,
+	cache remotecache.CacheStorage, authnService authn.Service,
+	reg prometheus.Registerer, tracer trace.Tracer,
 ) *Service {
 	s := &Service{
 		cfg: cfg, logger: log.New("id-service"),
 		signer: signer, cache: cache,
 		metrics:  newMetrics(reg),
 		nsMapper: request.GetNamespaceMapper(cfg),
+		tracer:   tracer,
 	}

-	authnService.RegisterPostAuthHook(s.hook, 140)
+	authnService.RegisterPostAuthHook(s.SyncIDToken, 140)

 	return s
 }
@ -55,10 +56,14 @@ type Service struct {
 	cache    remotecache.CacheStorage
 	si       singleflight.Group
 	metrics  *metrics
+	tracer   trace.Tracer
 	nsMapper request.NamespaceMapper
 }

 func (s *Service) SignIdentity(ctx context.Context, id identity.Requester) (string, *authnlib.Claims[authnlib.IDTokenClaims], error) {
+	ctx, span := s.tracer.Start(ctx, "user.sync.SignIdentity")
+	defer span.End()
+
 	defer func(t time.Time) {
 		s.metrics.tokenSigningDurationHistogram.Observe(time.Since(t).Seconds())
 	}(time.Now())
@ -140,10 +145,15 @@ func (s *Service) SignIdentity(ctx context.Context, id identity.Requester) (stri
 }

 func (s *Service) RemoveIDToken(ctx context.Context, id identity.Requester) error {
+	ctx, span := s.tracer.Start(ctx, "user.sync.RemoveIDToken")
+	defer span.End()
+
 	return s.cache.Delete(ctx, getCacheKey(id))
 }

-func (s *Service) hook(ctx context.Context, identity *authn.Identity, _ *authn.Request) error {
+func (s *Service) SyncIDToken(ctx context.Context, identity *authn.Identity, _ *authn.Request) error {
+	ctx, span := s.tracer.Start(ctx, "user.sync.SyncIDToken")
+	defer span.End()
 	// FIXME(kalleep): we should probably lazy load this
 	token, idClaims, err := s.SignIdentity(ctx, identity)
 	if err != nil {