Change severity level for logs like "IDX10223: Lifetime validation failed. The token is expired"

[Marusyk]

Microsoft.Identity.Web Library

Microsoft.Identity.Web

Microsoft.Identity.Web version

2.16.1

Web app

Sign-in users and call web APIs

Web API

Protected web APIs (validating tokens)

Token cache serialization

Not Applicable

Description

Every day I got a lot of error logs like

1. IDX10223: Lifetime validation failed. The token is expired...
2. IDX10205: Issuer validation failed...

The 1st one is not an error and we want to ignore it: this means that some of our clients make a request with an expired token, then the 401 will be returned and the client goes to the refresh endpoint for the new token. So it's not an error on the server side, we can't fix it from the server side. Why is it treated as an error?

How to disable/ignore/change-severity them?

[jennyf19]

@westin-m The fix might need to happen in IdentityModel, if so, you can transfer the issue over there.

[jennyf19]

Could be related to this: AzureAD/microsoft-identity-web#2675

[johnwc]

Looking for this answer as well. Need to change logging level specifically for IDX10223.

[AndreErb]

@jennyf19 Any plans or news on this issue? We need this too.

Treating IDX10223 as an error in logs (Server-side) seems wrong. An expired token is not an error on the Server side, it's a Client-side problem. It just fills up the logs.

https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/2614#issuecomment-2135739124 is not really the solution to this issue, cause it's about deactivating Identity logs completely, like shown here However, we do not want to disable all Identity logging.

IDX10223 should be treated as a Warning. Alternatively, it would be nice to have a way to "opt-out" from it.

[jmprieur]

I agree that there is nothing the web API can do when it receives expires tokens. @jennyf19 @brentschmaltz any objections changing the severity to warning or info?