search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.82k stars 5.9k forks source link

Enhance the observability of the authorization code flow when communicating with a third-party OAuth server #13658

Open HungUnicorn opened 1 year ago

HungUnicorn commented 1 year ago

Expected Behavior

A switch to trun on logging to show the requests and responses in the Authorization Code Flow for the communication with the oauth server(for example, Apple, Facebook, Google, Microsoft) in the log.

Better to also decode the id token and the sensitive value like email, id and name should be masked.

Current Behavior

Not able to find how to show it. The actuator's httpexchange only shows the requests and response between UserAgent and application. I was putting several debug points in the code of the library and made screenshots and mask the sensitive values myself.

Context

This is required for legal purpose to make the data trasfer observable between the application and the 3rd party Auth server.

sjohnr commented 1 day ago

Thanks @HungUnicorn. I'm adding this for consideration in a future release.