logging: add option to add a user's id_token to the authorization log
#4376
Assignees
Comments
desimone
changed the title
id_token to the request logid_token to the access log
desimone
changed the title
id_token to the access logid_token to the authorization log
6 tasks
|
From chatting with @desimone I believe it's fine if we want to add two separate options for logging the raw ID token and the decoded ID token claims. (I have a slight preference for doing it that way, as to me it feels more consistent with the other log fields, but it's probably fine to leave it the way #4392 has it for now. We can always split these up later if we need to.) |
|
This has been implemented. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What
While our current authorization logs contain basic user information like user email and groups, being able to quickly see a user's request detail's (including extra custom claims) can be helpful in a security audit, or to troubleshoot access issues quickly.
Solution
We should pass the user's most recent encoded AND base64 decoded
id_tokenas part of the request.Alternatives
We provide a user configurable way to select the claims. But this would likely add latency to each request for parsing, and open up the possibility for information leakage. In theory, id_token's should be relatively safe to put in logs.
Considerations
id_tokenswhich could make this result inconsistent. For example, Azure provides you the complete user contexts only once during initial sign in. The following id_token / user info calls are assumed to be updates only.Related issues
The text was updated successfully, but these errors were encountered: