blackbox_exporter icon indicating copy to clipboard operation
blackbox_exporter copied to clipboard
verified publisher icon prometheus

oauth2. Hide secrets in endpoint_params.

Open dezzzm opened this issue 4 months ago • 1 comments

When configuring oauth2 with endpoint_params.grant_type=password, you have to specify the login and password of the account. This information is displayed in plain text and is not hidden in any way either in the configuration or when logging into the web interface (http://ip:9115/config or http://ip:9115/logs?id=1).

Example:

modules:
    http_2xx_oauth_dex:
        prober: http
        timeout: 5s
        http:
            valid_status_codes:
                - 200
            valid_http_versions:
                - HTTP/1.1
                - HTTP/2.0
            preferred_ip_protocol: ip4
            ip_protocol_fallback: true
            headers:
                user-agent: Blackbox Exporter/0.27.0, Chrome
            oauth2:
                client_id: test
                client_secret_file: /etc/blackbox_exporter/secrets/secret_http_2xx_oauth_dex
                token_url: https://keycloak.k8s.test.local/realms/test/protocol/openid-connect/token
                endpoint_params:
                    grant_type: password
                    password: <password in plain text>
                    username: <username in plain text>

Please add endpoint_params_file or password_file similar to client_secret_file to hide sensitive information.

dezzzm avatar Sep 16 '25 10:09 dezzzm

I've read the code that is responsible for handling oauth, the configuration of it is described in github.com/prometheus/common package

type OAuth2 struct {
	ClientID         string `yaml:"client_id" json:"client_id"`
	ClientSecret     Secret `yaml:"client_secret" json:"client_secret"`
	ClientSecretFile string `yaml:"client_secret_file" json:"client_secret_file"`
	// ClientSecretRef is the name of the secret within the secret manager to use as the client
	// secret.
	ClientSecretRef string            `yaml:"client_secret_ref" json:"client_secret_ref"`
	Scopes          []string          `yaml:"scopes,omitempty" json:"scopes,omitempty"`
	TokenURL        string            `yaml:"token_url" json:"token_url"`
	EndpointParams  map[string]string `yaml:"endpoint_params,omitempty" json:"endpoint_params,omitempty"`
	TLSConfig       TLSConfig         `yaml:"tls_config,omitempty"`
	ProxyConfig     `yaml:",inline"`
}

which when creating request next passes it to golang.org/x/oauth2 package here return client, config.TokenSource(ctx), nil so it is not on the blackbox exporter side. as u can see EnpointParams is just map of strings so it is not "hiding" anything like BasicAuth password for example i guess u can address this problem to prometheus?

Or maybe blackbox exporter config can add something like

HTTPProbe struct{
   ...
   MaskHTTPClientConfig bool `yaml:mask_http_client_config`
}

which obviously will "hide" httpConfig in case it has any creadentials in its configuration which are not hided initially

I am not sure if we should ping maintainers or they will read this and say anythyng about it)

endesapt avatar Sep 18 '25 16:09 endesapt