You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While our current authorization logs contain basic user information like user email and groups, being able to quickly see a user's request detail's (including extra custom claims) can be helpful in a security audit, or to troubleshoot access issues quickly.
Solution
We should pass the user's most recent encoded AND base64 decodedid_token as part of the request.
Alternatives
We provide a user configurable way to select the claims. But this would likely add latency to each request for parsing, and open up the possibility for information leakage. In theory, id_token's should be relatively safe to put in logs.
Considerations
Every identity provider does slightly different things with id_tokens which could make this result inconsistent. For example, Azure provides you the complete user contexts only once during initial sign in. The following id_token / user info calls are assumed to be updates only.
The text was updated successfully, but these errors were encountered:
desimone
changed the title
logging: add option to add a user's id_token to the request log
logging: add option to add a user's id_token to the access log
Jul 20, 2023
desimone
changed the title
logging: add option to add a user's id_token to the access log
logging: add option to add a user's id_token to the authorization log
Jul 20, 2023
From chatting with @desimone I believe it's fine if we want to add two separate options for logging the raw ID token and the decoded ID token claims. (I have a slight preference for doing it that way, as to me it feels more consistent with the other log fields, but it's probably fine to leave it the way #4392 has it for now. We can always split these up later if we need to.)
What
While our current authorization logs contain basic user information like user email and groups, being able to quickly see a user's request detail's (including extra custom claims) can be helpful in a security audit, or to troubleshoot access issues quickly.
Solution
We should pass the user's most recent encoded AND base64 decoded
id_token
as part of the request.Alternatives
We provide a user configurable way to select the claims. But this would likely add latency to each request for parsing, and open up the possibility for information leakage. In theory, id_token's should be relatively safe to put in logs.
Considerations
id_tokens
which could make this result inconsistent. For example, Azure provides you the complete user contexts only once during initial sign in. The following id_token / user info calls are assumed to be updates only.Related issues
The text was updated successfully, but these errors were encountered: