sourcegraph · vrto · Nov 16, 2022 · Nov 15, 2022 · Nov 15, 2022 · Nov 15, 2022
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -27,6 +27,7 @@ All notable changes to Sourcegraph are documented in this file.
 - GitHub/GitLab OAuth success/fail attempts are now a part of the audit log. [#43886](https://github.com/sourcegraph/sourcegraph/pull/43886)
 - When rendering a file which is backed by Git LFS, we show a page informing the file is LFS and linking to the file on the codehost. Previously we rendered the LFS pointer. [#43686](https://github.com/sourcegraph/sourcegraph/pull/43686)
 - Batch changes run server-side now support secrets. [#27926](https://github.com/sourcegraph/sourcegraph/issues/27926)
+- OIDC success/fail login attempts are now a part of the audit log. [#44467](https://github.com/sourcegraph/sourcegraph/pull/44467)
 
 ### Changed
 

diff --git a/enterprise/cmd/frontend/internal/auth/openidconnect/middleware.go b/enterprise/cmd/frontend/internal/auth/openidconnect/middleware.go
@@ -134,8 +134,28 @@ func authHandler(db database.DB) func(w http.ResponseWriter, r *http.Request) {
 			if err != nil {
 				log15.Error("Failed to authenticate with OpenID connect.", "error", err)
 				http.Error(w, safeErrMsg, errStatus)
+				arg, _ := json.Marshal(struct {
+					SafeErrorMsg string `json:"safe_error_msg"`
+				}{
+					SafeErrorMsg: safeErrMsg,
+				})
+				db.SecurityEventLogs().LogEvent(r.Context(), &database.SecurityEvent{
+					Name:            database.SecurityEventOIDCLoginFailed,
+					URL:             r.URL.Path,                                   // Don't log OIDC query params
+					AnonymousUserID: fmt.Sprintf("unknown OIDC @ %s", time.Now()), // we don't know have a reliable user identify at the time of the failure
-					AnonymousUserID: fmt.Sprintf("unknown OIDC @ %s", time.Now()), // we don't know have a reliable user identify at the time of the failure
+					AnonymousUserID: fmt.Sprintf("unknown OIDC @ %s", time.Now()), // We don't have a reliable user identity at the time of the failure
-					AnonymousUserID: fmt.Sprintf("unknown OIDC @ %s", time.Now()), // we don't know have a reliable user identify at the time of the failure
+					AnonymousUserID: fmt.Sprintf("unknown OIDC @ %s", time.Now()), // We don't have a reliable user identity at the time of the failure
+					Source:          "BACKEND",
+					Timestamp:       time.Now(),
+					Argument:        arg,
+				})
 				return
 			}
+			db.SecurityEventLogs().LogEvent(r.Context(), &database.SecurityEvent{
+				Name:      database.SecurityEventOIDCLoginSucceeded,
+				URL:       r.URL.Path, // Don't log OIDC query params
+				UserID:    uint32(result.User.ID),
+				Source:    "BACKEND",
+				Timestamp: time.Now(),
+			})
 
 			var exp time.Duration
 			// 🚨 SECURITY: TODO(sqs): We *should* uncomment the lines below to make our own sessions

diff --git a/enterprise/cmd/frontend/internal/auth/openidconnect/middleware_test.go b/enterprise/cmd/frontend/internal/auth/openidconnect/middleware_test.go
@@ -14,6 +14,7 @@ import (
 	"time"
 
 	"github.com/coreos/go-oidc"
+	"github.com/stretchr/testify/assert"
 
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/auth"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/auth/providers"
@@ -144,6 +145,20 @@ func TestMiddleware(t *testing.T) {
 	db := database.NewStrictMockDB()
 	db.UsersFunc.SetDefaultReturn(users)
 
+	securityLogs := database.NewStrictMockSecurityEventLogsStore()
+	db.SecurityEventLogsFunc.SetDefaultReturn(securityLogs)
+	securityLogs.LogEventFunc.SetDefaultHook(func(_ context.Context, event *database.SecurityEvent) {
+		assert.Equal(t, "/.auth/openidconnect/callback", event.URL)
+		assert.Equal(t, "BACKEND", event.Source)
+		assert.NotNil(t, event.Timestamp)
+		if event.Name == database.SecurityEventOIDCLoginFailed {
+			assert.NotEmpty(t, event.AnonymousUserID)
+			assert.IsType(t, json.RawMessage{}, event.Argument)
+		} else {
+			assert.Equal(t, uint32(123), event.UserID)
+		}
+	})
+
 	if err := mockGetProviderValue.Refresh(context.Background()); err != nil {
 		t.Fatal(err)
 	}
@@ -340,6 +355,16 @@ func TestMiddleware_NoOpenRedirect(t *testing.T) {
 	db := database.NewStrictMockDB()
 	db.UsersFunc.SetDefaultReturn(users)
 
+	securityLogs := database.NewStrictMockSecurityEventLogsStore()
+	db.SecurityEventLogsFunc.SetDefaultReturn(securityLogs)
+	securityLogs.LogEventFunc.SetDefaultHook(func(_ context.Context, event *database.SecurityEvent) {
+		assert.Equal(t, "/.auth/openidconnect/callback", event.URL)
+		assert.Equal(t, "BACKEND", event.Source)
+		assert.NotNil(t, event.Timestamp)
+		assert.Equal(t, database.SecurityEventOIDCLoginSucceeded, event.Name)
+		assert.Equal(t, uint32(123), event.UserID)
+	})
+
 	h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})
 	authedHandler := Middleware(db).App(h)
 

diff --git a/internal/database/security_event_logs.go b/internal/database/security_event_logs.go
@@ -51,6 +51,9 @@ const (
 
 	SecurityEventGitLabAuthSucceeded SecurityEventName = "GitLabAuthSucceeded"
 	SecurityEventGitLabAuthFailed    SecurityEventName = "GitLabAuthFailed"
+
+	SecurityEventOIDCLoginSucceeded SecurityEventName = "SecurityEventOIDCLoginSucceeded"
+	SecurityEventOIDCLoginFailed    SecurityEventName = "SecurityEventOIDCLoginFailed"
 )
 
 // SecurityEvent contains information needed for logging a security-relevant event.