Additional audit logging for OAuth 2.0
- troinine-ubi
Introduction
In certain situations it's helpful to have a more granular audit trail. Additional audit logging for OAuth 2.0 applications can be enabled using an application compatibility flag ExtendedOAuth2AuditLogging. More information about OAuth 2.0 integrations and flags can be found in OAuth 2.0 integration guide - SSO.
Entry types
This adds the following entry types:
- Authentication request
- Token granted
Authentication request
An "authentication request" entry is logged when a properly formatted OAuth 2.0 authorization request is received from a client.
"Authentication request"-entry format
| Field name | Timestamp | IP-Address | Entry type | Session identifier | Authentication request origin | Scopes | ACR values | User agent |
|---|---|---|---|---|---|---|---|---|
| Example values | "2003-08-25 12:57:02,622" | "192.168.0.66" | "authentication request" | "dfff2af759817ce44c3d31654e1b573" | "cn=service,ou=example,dc=example" | "openid scope1" | "acrvalue1 acrvalue2" | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| Scopes | Scopes that were sent in the authentication request. |
| ACR values | ACR values that were sent in the authentication request. |
| User Agent | Identification of the Web client used for authentication from the "User-Agent" HTTP request header. |
Example:
"2003-08-25 12:57:02,622", "192.168.0.66", "authentication request", "dfff2af759817ce44c3d31654e1b573", "cn=service,ou=example,dc=example", "openid scope1", "acrvalue1 acrvalue2", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"
Token granted
A "token granted" entry is logged for valid OAuth 2.0 token requests, i.e. when an access token is issued to the calling client. Usually token endpoint is called from backend so in those situations the User Agent field will not have a value.
| Field name | Timestamp | IP-Address | Entry type | Session identifier | Authentication request origin | Granted Scopes | Audiences | Authentication method | Ubisecure user ID | Web Application User ID | User agent |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Example values | "2003-08-25 12:57:02,622" | "192.168.0.66" | "token granted" | "dfff2af759817ce44c3d31654e1b573" | "cn=service,ou=example,dc=example" | "openid scope1" | "client.id.1 client.id.2" | "authn.1" | "uid=010101+2221,cn=authn.1,cn=Server,ou=System,dc=example" | "mappedUsername" | "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1" |
"Token granted"-entry format
Where fields are:
| Field Name | Description |
|---|---|
| Session ID | Unique identifier generated for the single sign-on session when it is created. |
| Authentication Request Origin | The LDAP name of the client application which initiated the authentication process. |
| Granted Scopes | Space separated list of scopes that were granted. These are the scopes from the authentication request that are authorized based on application configuration and authorization policy. |
| Audiences | Audiences are relevant only for OAuth2 applications including OpenID Connect. If a scope an application is requesting refers to another application with that applications client ID in SSO, the IDs of those applications are listed in this column. This entry uses a space as the delimiter between of the application client IDs. |
| Authentication Method | Name of the used authentication method. |
| Ubisecure User ID | Unique identifier for the user. For users registered in the user directory this is the users LDAP name, and for other users this ID is formed from the Authentication Method User ID and the LDAP name of the authentication method used. |
| Web Application User ID | The username sent to the application. The source of this data depends on the type of the application. Administrators can override this by setting a value in the authorization policy with attribute name 'username' which allows customizing the logged value. |
| User Agent | Value of User-Agent HTTP request header. |
Example:
"2003-08-25 12:57:02,622", "192.168.0.66", "token granted", "dfff2af759817ce44c3d31654e1b573", "cn=service,ou=example,dc=example", "openid scope1", "client.id.1 client.id.2", "authn.1" "uid=010101+2221,cn=authn.1,cn=Server,ou=System,dc=example", "mappedUsername", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"