Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14770

OAuth2 token tracking IDs not logged when calling /introspect endpoint

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.5.1
    • Fix Version/s: None
    • Component/s: audit logging, oauth2
    • Labels:
      None

      Description

      Bug description

      Calls to the OAuth2 /introspect endpoint generate an access audit event but the audit tracking ID of the access token or refresh token presented is not included in this audit event.

      Due to this, we cannot correlate the audit event for the call to the /introspect with other audit events relating to the presented token.

      How to reproduce the issue

      1. Install AM and setup OAuth2 provider + OAuth2 client
      2. Obtain an access token
      3. Call the /introspect endpoint with the access token
      Expected behaviour
      The event logged to ~/openam/openam/log/access.audit.json includes the tracking ID of the presented access token
      
      Current behaviour
      The event logged to ~/openam/openam/log/access.audit.json only includes the tracking ID of the client session
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              craig.mcdonnell Craig McDonnell
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: