Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10446

Need more Audit logging for SAML2/OAuth2/OIDC/UMA request/response fields

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 13.5.0, 13.5.1, 14.0.0, 14.1.0
    • Fix Version/s: None
    • Component/s: audit logging
    • Labels:
    • Support Ticket IDs:

      Description

      Currently the audit logging seems to not able to provide audit logging for explicit fields of the OAuth2/UMA request/response. For example, the access_token audit only audit the scope and token_type but user defined or other scopes are not possible. Say also if the OAuth2 response have an extra attribute like profile or a custom value (defined in a custom ScopeValidator), it is no possible to log these.

      AuditEvent [value={ "realm": "/", "timestamp": "2017-01-17T00:35:00.349Z", "transactionId": "2cad2675-907f-4b07-8a40-25f6b7e10429-4338", "eventName": "AM-ACCESS-OUTCOME", "component": "OAuth", "userId": "myClientID", "response": { "status": "SUCCESSFUL", "statusCode": "", "elapsedTime": 164228, "elapsedTimeUnits": "MILLISECONDS", "detail": { "scope": "cn", "token_type": "Bearer" } }
      

      RFE

      • It would be good if there is some way to have the audit logging able to permit logging customizable OAuth2/OIDC/UMA request/response fields (per realm).
      • Also maybe it is also good if there is some wayto attach extra audit data that can be sent to audit considering that maybe things like ScopeValidator or other extension point. Currently this is also not possible.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated: