[OPENAM-14770] OAuth2 token tracking IDs not logged when calling /introspect endpoint Created: 12/Apr/19  Updated: 24/Apr/19

Status: Open
Project: OpenAM
Component/s: audit logging, oauth2
Affects Version/s: 6.5.1
Fix Version/s: None

Type: Bug Priority: Major
Reporter: Craig McDonnell Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


Bug description

Calls to the OAuth2 /introspect endpoint generate an access audit event but the audit tracking ID of the access token or refresh token presented is not included in this audit event.

Due to this, we cannot correlate the audit event for the call to the /introspect with other audit events relating to the presented token.

How to reproduce the issue

  1. Install AM and setup OAuth2 provider + OAuth2 client
  2. Obtain an access token
  3. Call the /introspect endpoint with the access token
Expected behaviour
The event logged to ~/openam/openam/log/access.audit.json includes the tracking ID of the presented access token
Current behaviour
The event logged to ~/openam/openam/log/access.audit.json only includes the tracking ID of the client session

Comment by Craig McDonnell [ 17/Apr/19 ]

No. Ivaylo Bahtchevanov [X] is keen to make use of these tracking IDs for the data science work but this issue won't block the SaaS beta. That said, I think it should be easy to resolve

Generated at Mon Nov 23 17:10:36 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.