Gregor Zeitlinger

OK, I guess that makes sense. the endpoint also needs to be added to OAuthConfiguration - otherwise it can't be accessed. @vadeg can you also check this issue?

> Not sure whether masking of users in logs is necessary. Afaik, the privacy setup for logs should usually be sufficient to allow logging of user names. this PR is...

> * Please handle nil case and use this as default yes, that's the idea > * What about oidc* filters? > * What about tokenintrospection filters? > > I...

> @zeitlinger `realm` is not in the spec because it is a Zalando extension makes sense for tokeninfo it's `curl -s -H "Authorization: Bearer $(ztoken)" -X POST https://info.services.auth.zalando.com/oauth2/tokeninfo` and there...

Thought about how to 1. move more logic into the filter 2. not hard code `realm` - as it's a Zalando extension 3. make masking work for the oidc, token...

> I think for oidc we already have stored everything in `ctx.StateBag()[oidcClaimsCacheKey]`, tokenintrospection uses state bag key `tokenintrospectionCacheKey` and tokeninfo `tokeninfoCacheKey`. I think you won't need to do anything for...

> > > I think for oidc we already have stored everything in `ctx.StateBag()[oidcClaimsCacheKey]`, tokenintrospection uses state bag key `tokenintrospectionCacheKey` and tokeninfo `tokeninfoCacheKey`. I think you won't need to do...

> I think this feature should not be a global flag, but rather a filter. Is there a reason or a limitation why it is a global setting? yes: the...

> Please, convert this functionality into a filter. IIUC, you're saying we could append a global default filter that has the same effect. Would this filter modify what `stateBagToTag` is...

> the first step could be replaced by a filter that defines the same mask, and if the user wants, they can even set this filter only for specific routes...