Feat: Add OTel trace context propagation to AuthBridge

[husky-parul]

Summary

• Add OTel trace context propagation so traceparent headers flow through AuthBridge's inbound → outbound path without being dropped
• Uses the standard otlptracehttp exporter, gated on OTEL_EXPORTER_OTLP_ENDPOINT — zero behavioral change when unset

Test plan

• Without OTEL_EXPORTER_OTLP_ENDPOINT: AuthBridge behaves identically to before (no-op TracerProvider)
• With OTEL_EXPORTER_OTLP_ENDPOINT set: traceparent headers are preserved across inbound → outbound hops
• Verify by sending a request with a traceparent and checking the outbound request carries the same trace_id

Assisted-By: Claude (Anthropic AI) noreply@anthropic.com

Summary by CodeRabbit

• New Features
  • Added OpenTelemetry distributed tracing support across authentication and token exchange flows
  • Automatic extraction of trace context from incoming requests and propagation to downstream services
  • Configurable via OTEL_EXPORTER_OTLP_ENDPOINT and OTEL_SERVICE_NAME environment variables for OTLP trace collection

[coderabbitai]

Warning

Review limit reached

@husky-parul, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 53 minutes. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 7a72416b-dfcd-483c-b6e7-860274168d8f

📥 Commits

Reviewing files that changed from the base of the PR and between 3011057 and 8f9fe4f.

⛔ Files ignored due to path filters (1)

• authbridge/authlib/go.sum is excluded by !**/*.sum

📒 Files selected for processing (6)

• authbridge/authlib/go.mod
• authbridge/authlib/otelbridge/otelbridge.go
• authbridge/authlib/otelbridge/otelbridge_test.go
• authbridge/authlib/plugins/jwtvalidation/plugin.go
• authbridge/authlib/plugins/tokenexchange/plugin.go
• authbridge/cmd/authbridge-proxy/main.go

📝 Walkthrough

Walkthrough

This PR adds OpenTelemetry distributed tracing to authbridge. A new otelbridge module conditionally initializes tracing from environment variables and provides trace context extraction/injection helpers. Two plugins (JWT validation and token exchange) integrate trace propagation into their request handling. The application entry point wires OTel initialization with proper lifecycle management.

Changes

OpenTelemetry Tracing Support

Layer / File(s)	Summary
OTel Bridge Infrastructure and Dependencies authbridge/authlib/go.mod, authbridge/authlib/otelbridge/otelbridge.go	Adds OpenTelemetry, backoff, and updates grpc-gateway dependencies. New otelbridge module exports Init (conditionally enables OTLP HTTP tracing with batch export and TraceContext propagator), ExtractTraceContext (pulls trace ID from incoming headers), and InjectTraceContext (injects trace ID into outgoing headers).
Plugin Trace Context Integration authbridge/authlib/plugins/jwtvalidation/plugin.go, authbridge/authlib/plugins/tokenexchange/plugin.go	JWT validation plugin extracts trace context from request headers before inbound handling. Token exchange plugin extracts before outbound handling and injects back into response headers when replacing tokens.
Application Initialization and Lifecycle authbridge/cmd/authbridge-proxy/main.go	Calls otelbridge.Init at startup, terminates on error, and defers the returned shutdown function for clean OTel lifecycle management during application shutdown.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested reviewers

• huang195
• maia-iyer

Poem

🐰 A trace through the telemetry dance,
Headers pass whispers of distributed chance,
From JWT walls to token exchange,
The bridge lets context freely range,
One startup call brings all in sight! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Feat: Add OTel trace context propagation to AuthBridge' clearly and concisely describes the main change: adding OpenTelemetry trace context propagation support to the AuthBridge system.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Ladas]

Code Review + Security Review

What it does

Adds W3C Trace Context propagation to AuthBridge so traceparent / tracestate headers survive the inbound→outbound authentication path. Three integration points:

1. otelbridge.Init() — initializes OTel TracerProvider with OTLP HTTP exporter, gated on OTEL_EXPORTER_OTLP_ENDPOINT. Returns no-op when unset — zero behavioral change by default.
2. JWT validation plugin — ExtractTraceContext() on inbound request, populating ctx with the caller's trace/span.
3. Token exchange plugin — ExtractTraceContext() on outbound request, then InjectTraceContext() after token replacement to propagate the trace ID downstream.

Code quality

• Clean separation: otelbridge package handles all OTel setup and W3C propagation. Plugins only call Extract/Inject.
• Init() returns a (shutdown, error) tuple — correct lifecycle pattern for OTel SDK.
• Propagator is propagation.TraceContext{} (W3C standard) — correct choice for HTTP.
• Service name falls back to "authbridge" when OTEL_SERVICE_NAME is unset.
• Tests cover: no-endpoint no-op, endpoint initialization, extract/inject round-trip, trace ID preservation. Good coverage.

Security Review

No security issues found.

1. No credentials exposed. The OTel exporter reads OTEL_EXPORTER_OTLP_ENDPOINT from env — no secrets in code. The OTLP HTTP exporter uses the standard OTel SDK env vars for auth (OTEL_EXPORTER_OTLP_HEADERS), which is the correct pattern.

2. No header leakage. ExtractTraceContext reads traceparent/tracestate only (W3C propagator). InjectTraceContext writes traceparent/tracestate only. No auth headers (Authorization, cookies) are touched by the OTel propagation layer.

3. Trace context injection placement is correct. In tokenexchange/plugin.go, InjectTraceContext is called on the ActionReplaceToken branch AFTER the token is set in the Authorization header. This means the trace propagation doesn't interfere with or override the auth header — they operate on different header keys.

4. No new network surface. The OTLP HTTP exporter connects to the configured endpoint (typically otel-collector within the cluster). When OTEL_EXPORTER_OTLP_ENDPOINT is unset, no connections are made. No new ports, routes, or ingress.

5. log.Fatalf on OTel init failure — this is appropriate for a sidecar process. If the operator explicitly configures tracing and it fails to initialize, crashing early is better than silently dropping traces.

6. Dependency additions are standard. OTel SDK v1.43.0, otlptracehttp exporter, cenkalti/backoff/v5 (transitive). All are widely-used, well-maintained.

Minor observations (non-blocking)

• The test TestInit_NoEndpoint checks that TraceContext propagator is NOT set when endpoint is unset. This is correct but fragile — if a previous test in the same process set it (e.g., TestInit_WithEndpoint), the global state would leak. The tests work because Go runs them in declaration order and TestInit_NoEndpoint runs first. Consider t.Cleanup to reset the global propagator, or accept the ordering dependency.

• go.sum diff is large but mechanical — dependency version bumps from adding OTel SDK.

APPROVE — clean, well-tested, correct security posture.