Improve some logging for OIDC logins

[UKFr-DIZ]

Hi,

as discussed with @schwzr, it would be useful if you could improve two things for the logging.

• When having a successful login with OIDC to the DSF FHIR Server, the jetty server still constantly write into the log that the X-ClientCert is essentially missing, which is the correct behaviour when logging in with OIDC.

app_1  | WARN jetty-server-23 - ForwardedSecureRequestCustomizer.getClientCert(62) | X-ClientCert header does not start with -----BEGIN CERTIFICATE----- or -----BEGIN%20CERTIFICATE-----%0A

• When having a user account, which has no E-mail it will show ? for the following logmessage for example.

app_1  | INFO jetty-server-51 - AbstractAuthorizationRule.reasonSearchAllowed(345) | Search of Task authorized for identity 'uniklinik-freiburg.de/?'

Thanks

BR
Nam

[hhund]

Hi @UKFr-DIZ,

regarding the "X-ClientCert header" message: The Apache httpd reverse proxy currently sends (null) as the value for the header if the user is not authenticated with a client certificate. Adding expr="-n %{SSL_CLIENT_S_DN}s" to Lines 39, 45 and 51 of the host-ssl.conf file, as in RequestHeader set X-ClientCert %{SSL_CLIENT_CERT}s "expr=-n %{SSL_CLIENT_CERT}", only sets the header if the value of %{SSL_CLIENT_CERT} is not empty, thus suppressing the warning. I will make the modification with the upcoming release.

Concerning the log messages with the ? e-mail address: We are using the e-mail address from client-certificates and access tokens as a unique identifier for human users. In a future release we will likely remove the option to authenticate human users with certificates or tokens that do not contain an e-mail address. In the meantime I will make a modification for the upcoming release that will display a "generated" e-mail address based on the iss and sub values from the access token.

[UKFr-DIZ]

Hi @hhund,

thank oyu for your reply !:)
From our site we would prefer if we could authenticate users using token without an email. Sysadmins from our site have in our local concept site special sysadmin accounts. These are accounts are personal but don't have an mail configured. I used the user federation in KC and sync the users as read only, so I can't change the email of the synced user. What is your reasoning that the accounts must have an e-mail account ?