TokenRequestValidator logs every check failure as error - such as username is missing or username/password invalid, etc. I would not consider invalid input from user as error to be logged - from my perspective it could be max as a warning (ideally I would make that debug level logging as it's bad input problem which don't want to fill your logs unless you're debugging stuff). For example AuthenticationController uses warning level for when user authentication fails.
Why I'm concerned with that - we have to support legacy system with "old fashioned" login system and for this we have to use special client with ResourceOwner flow to proxy calls with username/password so we have single place authenticating users. And this means when invalid user data is passed we get errors logged and we can not control this.
I know that logging in production is discouraged by your documentation but we use it as supplement to events provided and it works seamlessly with our monitoring system.
Would you accept making all those errors logged as warning level or lower or would you have other suggestions?
TokenRequestValidator logs every check failure as error - such as username is missing or username/password invalid, etc. I would not consider invalid input from user as error to be logged - from my perspective it could be max as a warning (ideally I would make that debug level logging as it's bad input problem which don't want to fill your logs unless you're debugging stuff). For example AuthenticationController uses warning level for when user authentication fails.
Why I'm concerned with that - we have to support legacy system with "old fashioned" login system and for this we have to use special client with ResourceOwner flow to proxy calls with username/password so we have single place authenticating users. And this means when invalid user data is passed we get errors logged and we can not control this.
I know that logging in production is discouraged by your documentation but we use it as supplement to events provided and it works seamlessly with our monitoring system.
Would you accept making all those errors logged as warning level or lower or would you have other suggestions?