Auth logging

[MisterWil]

Expected Behavior

I would like to see the ability to configure auth logging separately from request logs. This should specifically include the ability to log directly to a configured file path.

Current Behavior

All log output is sent to stdout, both requests and error logging. It appears that the error logs flow through a separate logging interface than the request logs. The only way to currently obtain these logs is to use docker logs Oauth2Proxy or configuring the docker container to log to the host syslog.

Request logs are logged:

123.123.123.123 - username@gmail.com [07/Feb/2019:00:01:30 +0000] domain.com GET - "/oauth2/auth" HTTP/1.0 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36" 202 0 0.000

Failed auth attempts are logged un-formatted to stdout as well:

2019/02/07 00:00:40 oauthproxy.go:754: 172.17.0.1:52548 ("123.123.123.123") Permission Denied: "username@gmail.com" is unauthorized

Possible Solution

Further configuration either via command line like:

  -auth-logging: Log auth requests (default true)
  -auth-logging-file: File to log auth requests to (defaults to empty for stdout)
  -auth-logging-format: Template for auth log lines (see "Auth Logging Format" paragraph below)

Or through the oauth2_proxy.cfg file:

## Log requests to stdout
auth_logging = true
auth_logging_file = /etc/oauth2/auth.log
auth_logging_format = [{{.Timestamp}}[{{.Level.}}] {{.Message}} IP: {{.RemoteIP}}. Username: {{.Username}}.

The format should include the option for all relevant info but most importantly the remote IP address of the request.

That way a failed oauth2 attempt would log something like:

[2019/02/07 00:00:40] [ERROR] Permission Denied. IP: 123.123.123.123. Username: username@gmail.com

Most of this logging would at the existing log.PrintF() function calls in oauthproxy.go.

Context

I would like to get a log file of failed login attempts to redirect through fail2ban so that any attempts to login via any interface can be blocked upstream at the reverse proxy level. In this particular case I have fail2ban set up to ban IP addresses directly at the cloudflare proxy so the banned IP's don't even make it to my reverse proxy server.

Then you could create a file /etc/fail2ban/jail.d/oauth2proxy.conf

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Permission Denied\. IP: <HOST>\. Username:.*$
ignoreregex =

And then you could add oauth2proxy as a fail2ban jail.

[JoelSpeed]

This seems like a sensible enhancement to add. If we can do it in a way that the default values maintain existing behaviour than that would be even better.

We will likely want to use some sort of logging library for this, does anyone have any suggestions?

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.