Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-2960

OAuth2 & UMA tokens from AM should be traceable through IG audit logs



    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 6.1.0
    • Fix Version/s: None
    • Component/s: Audit, OAuth 2.0, OpenAM, UMA
    • Labels:
    • Epic Link:
    • Sprint:
      2019.17 - IG / Microservices, 2020.01 - IG / Microservices
    • Story Points:


      All OAuth2 tokens created by AM are assigned a unique audit tracking identifier which can be used to correlate audit events which relate to that OAuth2 token.  For example, using the tracking ID assigned to the authorization code, it is possible to correlate the call to /authorize which minted the authorization code with the call to /token when the code is exchanged - Without tracking IDs this would be impossible as the two calls are made by separate parties (the resource owner, and the client).

      If IG is used to protect the resource server, it would be beneficial to be able to correlate audit events for resources accessed by the client back to the AM audit events relating to the creation of the access token.  When IG calls AM and propagation of the transaction ID is enabled, this may be possible (the AM audit event for the /introspect or /tokeninfo call will log the access token's audit tracking ID and this can be correlated with the IG audit event for resource access based on the shared transaction ID).  However, this correlation of AM and IG audit events will not always be possible - e.g. If IG caches the result of the call to AM's /introspect or /tokeninfo endpoint and doesn't need to contact AM before allowing or denying access to the requested resource.

      It would be beneficial if AM returned the audit tracking ID for an OAuth2 token (when calling /introspect or /tokeninfo) and for IG to record this tracking ID in all audit events when the token is presented.  Similarly, IG should log the audit tracking ID of OpenID Connect id tokens (it should already be a claim).


          Issue Links



              nils.renaud Nils Renaud
              craig.mcdonnell Craig McDonnell
              1 Vote for this issue
              2 Start watching this issue