Custom bearer token not redacted

[SkypLabs]

Preflight checklist

• [X] I could not find a solution in the existing issues, docs, nor discussions.
• [X] I agree to follow this project's Code of Conduct.
• [X] I have read and am following this repository's Contribution Guidelines.
• [ ] This issue affects my Ory Network project.
• [ ] I have joined the Ory Community Slack.
• [ ] I am signed up to the Ory Security Patch Newsletter.

Describe the bug

By default, Oathkeeper redacts sensitive values from the logs like the Authorization HTTP header and cookie values. However, when defining a custom bearer token in the bearer_token authenticator, the value of this token is not redacted.

I think this is a bug as I explicitly defined a specific HTTP header in the bearer_token authenticator as comprising a sensitive value, so its value should be redacted.

Reproducing the bug

1. Start an Oathkeeper instance with a bearer_token authenticator configured to retrieve the secret from a custom HTTP header (X-Fallback-Cookies in my configuration example).
2. Send an HTTP request comprising the custom HTTP header to the Oathkeeper instance.
3. The value of the custom HTTP header is visible in the logs, which is not the desired behaviour.

Relevant log output

time=2023-03-21T10:00:53Z level=info msg=started handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.5 dnt:1 sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:none sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 x-appwrite-project:xxx x-fallback-cookies:{"a_session_xxx": "eyJpZCI6IjY0MTM0MjIwMmMzNDRjOTVkODkwIiwic2VjcmV0IjoiZGJlNDExMmRiZTVhYmVkMWY2ZTE2NGJkYjUzODU3ODZjZTA1MzQ2OTVlOGU2NWE3NDk2MjQ3NTVhNjQ2MTI4OTQ1NmZmMjk4YjhiM2E0YzkzNWYzNTZmYjdlMTY3NTMyNmQwZWJlZjkzY2IxMzk3MDk5YzZmOTMyYjQyNTRiNGQ2ODQyMTQxNzNiYTJkNzRkODZiOTM1ZGM2MjMyYWZkNjc2ZjkxOGIyYzY3NjcxZDhjYzgxOTNkNWFhZGNkMDE5NWE3ZjNlMzgzNjQ0Y2E3YmZiYWVhY2Q5NjBiZTc2NjJkNzM4ZTgyODE4OTgzNjQzZmVmZTYyYjliMWQzMTYzMyJ9"} x-forwarded-for:172.21.0.1 x-forwarded-host:whoami.example.com x-forwarded-method:GET x-forwarded-port:443 x-forwarded-proto:https x-forwarded-server:6af04422d9d4 x-forwarded-uri:/ x-real-ip:172.21.0.1] host:api-gateway:4456 method:GET path:/decisions query:<nil> remote:172.21.0.1:42842 scheme:http]
time=2023-03-21T10:00:54Z level=info msg=Access credentials are invalid audience=application service_name=ORY Oathkeeper service_version=v0.40.1
time=2023-03-21T10:00:54Z level=info msg=Access request denied audience=application error=map[debug: message:Access credentials are invalid reason: status:Unauthorized status_code:401] granted=false http_host=api-gateway:4456 http_method=GET http_url=https://whoami.example.com/ http_user_agent=Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 service_name=ORY Oathkeeper service_version=v0.40.1

Relevant configuration

authenticators:
  bearer_token:
    enabled: true

    config:
      check_session_url: http://appwrite/v1/account/sessions/current
      preserve_path: true
      force_method: GET 
      subject_from: userId
      token_from:
        header: X-Fallback-Cookies
      forward_http_headers:
        - X-Appwrite-Project                                                                                                                                                                                     
        - X-Fallback-Cookies

log:
  level: debug
  format: text
  leak_sensitive_values: false

Version

0.40.1

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

No response

[alnr]

This issue makes sense to me and feels like it should be fixed. Currently, the list of redacted headers is hardcoded here.

We would need a mechanism and API in that package to conditionally redact more headers.