How to log and trace OAuth2 and OpenID Connect HTTP messages

Owned by Keith Uber
Last updated: 2023-09-14 by Former user (Deleted)
2 min read

Detailed logging and tracing of the OpenID Connect method for the following transactions can be enabled:

  • Token request

Additionally, if there is no id_token returned with the access_token (or id_token has otherwise been disabled using none algorithm), also the following

  • Userinfo request
  • Introspection request

To enable tracing

Since SSO 9.1 logger configuration has been changed, more details under: Logging - SSO, especially Diag log description - SSO/Configuring log levels for arbitrary classes

On each node, modify ubilogin-sso/ubilogin/custom/logging/include-logback.xml configuration file.

Add the following line in the last section of the configuration file and restart SSO on each node: systemctl restart ubilogin-server

<!-- (10) Customise log levels -->
<logger name="com.ubisecure.oauth2.http.impl.HttpRequestImpl" level="TRACE" />


In addition, you may set the Protocol logger to DEBUG level via Management UI logging configuration - SSO.

After this change has been made, additional logging is written to sso_diag log.

Outbound requests can be seen, search for "HttpRequestImpl TRACE HttpRequest.invoke()"

Authorization request object is logged after possible encryption.

For token and other requests, only the GET or POST request and parameters are logged, not the request body. The responses are not logged.

If the system is configured only to sign request objects, the request JWT can be decoded and examined.

Debugging encrypted request objects


To debug outbound requests to a partner that requires encryption, the only option is disable encryption temporarily to capture the outbound format. The receiving party may or may not reject the request depending on their security requirements.

When registering the OpenID Connect method, make sure that signing is on:

request_object_signing_alg=”RS256”

and that encryption is turned off by removing the following two keys from the JSON metadata:

request_object_encryption_alg

request_object_encryption_enc

This level of logging exposes sensitive information and degrades performance. It is meant only for troubleshooting in testing environments.




Ubisecure Privacy Policy & Cookie Statement