Additional audit logging for OAuth 2.0

Introduction

In certain situations it's helpful to have a more granular audit trail. Additional audit logging for OAuth 2.0 applications can be enabled using an application compatibility flag ExtendedOAuth2AuditLogging. More information about OAuth 2.0 integrations and flags can be found in OAuth 2.0 integration guide - SSO.

Entry types

This adds the following entry types:

  • Authentication request
  • Token granted

Authentication request

An "authentication request" entry is logged when a properly formatted OAuth 2.0 authorization request is received from a client.

"Authentication request"-entry format

Field name

Timestamp

IP-Address

Entry type

Session identifier

Authentication request origin

ScopesACR values

User agent

Example values"2003-08-25 12:57:02,622""192.168.0.66""authentication request""dfff2af759817ce44c3d31654e1b573""cn=service,ou=example,dc=example""openid scope1""acrvalue1 acrvalue2""Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Where fields are:

Field NameDescription
Session IDUnique identifier generated for the single sign-on session when it is created.
Authentication Request OriginThe LDAP name of the client application which initiated the authentication process.
ScopesScopes that were sent in the authentication request.
ACR valuesACR values that were sent in the authentication request.
User AgentIdentification of the Web client used for authentication from the "User-Agent" HTTP request header.

Example:

"2003-08-25 12:57:02,622", "192.168.0.66", "authentication request", "dfff2af759817ce44c3d31654e1b573", "cn=service,ou=example,dc=example", "openid scope1", "acrvalue1 acrvalue2", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

Token granted

A "token granted" entry is logged for valid OAuth 2.0 token requests, i.e. when an access token is issued to the calling client. Usually token endpoint is called from backend so in those situations the User Agent field will not have a value.

Field name

Timestamp

IP-Address

Entry type

Session identifier

Authentication request origin

Granted ScopesAudiencesAuthentication methodUbisecure user IDWeb Application User ID

User agent

Example values"2003-08-25 12:57:02,622""192.168.0.66""token granted""dfff2af759817ce44c3d31654e1b573""cn=service,ou=example,dc=example""openid scope1""client.id.1 client.id.2""authn.1""uid=010101+2221,cn=authn.1,cn=Server,ou=System,dc=example""mappedUsername""Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

"Token granted"-entry format

Where fields are:

Field NameDescription
Session IDUnique identifier generated for the single sign-on session when it is created.
Authentication Request OriginThe LDAP name of the client application which initiated the authentication process.
Granted ScopesSpace separated list of scopes that were granted. These are the scopes from the authentication request that are authorized based on application configuration and authorization policy.
AudiencesAudiences are relevant only for OAuth2 applications including OpenID Connect. If a scope an application is requesting refers to another application with that applications client ID in SSO, the IDs of those applications are listed in this column. This entry uses a space as the delimiter between of the application client IDs.
Authentication MethodName of the used authentication method.
Ubisecure User ID

Unique identifier for the user

For users that are registered in an LDAP directory, this is their LDAP name.

For users that are registered in an SQL Directory, this is formed from their uniqueid and the LDAP name of the authentication method.

For other users, this is formed from the Authentication Method User ID and the LDAP name of the authentication method.

Web Application User ID

The username sent to the application. The source of this data depends on the type of the application.

Administrators can override this by setting a value in the authorization policy with attribute name 'username' which allows customizing the logged value.

User AgentValue of User-Agent HTTP request header.

Example:

"2003-08-25 12:57:02,622", "192.168.0.66", "token granted", "dfff2af759817ce44c3d31654e1b573", "cn=service,ou=example,dc=example", "openid scope1", "client.id.1 client.id.2", "authn.1" "uid=010101+2221,cn=authn.1,cn=Server,ou=System,dc=example", "mappedUsername", "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1"

This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2024. All Rights Reserved.