How to log and trace OAuth2 and OpenID Connect HTTP messages
Detailed logging and tracing of the OpenID Connect method for the following transactions can be enabled:
- Token request
Additionally, if there is no id_token returned with the access_token (or id_token has otherwise been disabled using none algorithm), also the following
- Userinfo request
- Introspection request
To enable tracing
Since SSO 9.1 logger configuration has been changed, more details under: Logging - SSO, especially Diag log description - SSO/Configuring log levels for arbitrary classes
On each node, modify ubilogin-sso/ubilogin/custom/logging
/include-logback.xml
configuration file.
Add the following line in the last section of the configuration file and restart SSO on each node: systemctl restart ubilogin-server
<!-- (10) Customise log levels --> <logger name="com.ubisecure.oauth2.http.impl.HttpRequestImpl" level="TRACE" />
In addition, you may set the Protocol logger to DEBUG level via Management UI logging configuration - SSO.
After this change has been made, additional logging is written to sso_diag log
.
Outbound requests can be seen, search for "HttpRequestImpl TRACE HttpRequest.invoke()
"
Authorization request object is logged after possible encryption.
For token and other requests, only the GET or POST request and parameters are logged, not the request body. The responses are not logged.
If the system is configured only to sign request objects, the request JWT can be decoded and examined.
Debugging encrypted request objects
To debug outbound requests to a partner that requires encryption, the only option is disable encryption temporarily to capture the outbound format. The receiving party may or may not reject the request depending on their security requirements.
When registering the OpenID Connect method, make sure that signing is on:
request_object_signing_alg=”RS256”
and that encryption is turned off by removing the following two keys from the JSON metadata:
request_object_encryption_alg
request_object_encryption_enc
This level of logging exposes sensitive information and degrades performance. It is meant only for troubleshooting in testing environments.
Related articles