search

indigo-iam / iam

INDIGO Identity and Access Management Service
https://indigo-iam.github.io/
Other
102 stars 43 forks source link

Fix audit log for issued access tokens and add refresh token event #774

Closed federicaagostini closed 3 months ago

federicaagostini commented 4 months ago

This PR includes the issued token (AT and/or RT) decoded in an audit event, e.g.

2024-06-06 10:44:27.759  INFO 2366961 --- [nio-8080-exec-3] AUDIT  : {"@type":"RefreshTokenIssuedEvent","timestamp":1717670606979,"category":"TOKEN","principal":"e048abb2-54ec-48b1-af7f-2199d0086feb","message":"Refresh token issued","subject":"e048abb2-54ec-48b1-af7f-2199d0086feb","scopes":["openid","email","offline_access","profile"],"grantType":"client_credentials","payload":{"exp":1720262606976,"jti":"9515d05f-e493-46e2-a622-ed2766b31d19"},"source":"IamTokenService"}
2024-06-06 10:44:27.823  INFO 2366961 --- [nio-8080-exec-3] AUDIT  : {"@type":"AccessTokenIssuedEvent","timestamp":1717670607008,"category":"TOKEN","principal":"e048abb2-54ec-48b1-af7f-2199d0086feb","message":"Access token issued","scopes":["openid","email","offline_access","profile"],"subject":"e048abb2-54ec-48b1-af7f-2199d0086feb","grantType":"client_credentials","header":{"kid":"rsa1","alg":"RS256"},"payload":{"iss":"http://localhost:8080","iat":1717670606982,"exp":1717674206969,"sub":"e048abb2-54ec-48b1-af7f-2199d0086feb","jti":"9d5f9152-5723-4fb6-af45-e8902febdb38","client_id":"e048abb2-54ec-48b1-af7f-2199d0086feb"},"source":"IamTokenService"}

Example of Access Token well-formed AUDIT content:

{
   "@type":"AccessTokenIssuedEvent",
   "timestamp":1717669109480,
   "category":"TOKEN",
   "principal":"client",
   "message":"Access token issued",
   "scopes":[
      "openid",
      "email",
      "profile",
      "offline_access"
   ],
   "subject":"admin",
   "grantType":"authorization_code",
   "header":{
      "kid":"rsa1",
      "alg":"RS256"
   },
   "payload":{
      "iss":"http://localhost:8080",
      "iat":1717669109456,
      "exp":1717672709451,
      "sub":"73f16d93-2441-4a50-88ff-85360d78c6b5",
      "jti":"d9e14923-dd12-4c7a-ab02-335f6044c0c7",
      "client_id":"client"
   },
   "source":"IamTokenService"
}

Example of Refresh Token well-formed AUDIT content:

{
   "@type":"RefreshTokenIssuedEvent",
   "timestamp":1717669109454,
   "category":"TOKEN",
   "principal":"client",
   "message":"Refresh token issued",
   "subject":"admin",
   "scopes":[
      "openid",
      "email",
      "profile",
      "offline_access"
   ],
   "grantType":"authorization_code",
   "payload":{
      "exp":1725656807452,
      "jti":"45eb594f-c5bd-4473-8f4d-9ff1835a3ec1"
   },
   "source":"IamTokenService"
}

Depends on: https://github.com/indigo-iam/OpenID-Connect-Java-Spring-Server/pull/18

sonarcloud[bot] commented 3 months ago

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
93.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud