fix: adds tracing to cookie_session and bearer_token authenticators

[achedeuzot]

Tracing works for oauth2_introspect type authenticators but fails for bearer_token or cookie_session type of authenticators as the headers aren't updated with a proper parent span created by oathkeeper.

Changing this, the parent span from the incoming request is updated with an oathkeeper span creating a proper trace in monitoring tools.

Caution: Enabling the tracing injects tracing headers into requests which now need explicit allowlisting since 0.39.x versions.

Related issue(s)

Tracing is broken when using cookie_session and bearer_token authenticators as headers can be merely propagated by using forward_http_headers but they aren't properly updated. This created wrong layouts in tracing tools.

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security. vulnerability, I
  confirm that I got green light (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.

Further Comments

Happy to discuss this if needed 😉

[achedeuzot]

One of the CI tests fails but it's unrelated to the changes done so it might be a flaky test.

[aeneasr]

Awesome, thanks!

[vinckr]

Hello @achedeuzot
Congrats on merging your first PR in Ory 🎉 !
Your contribution will soon be helping secure millions of identities around the globe 🌏.
As a small token of appreciation we send all our first time contributors a gift package to welcome them to the community.
Please drop me an email and I will forward you the form to claim your Ory swag!