Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix audit log for issued access tokens and add refresh token event #774

Merged
merged 16 commits into from
Jun 6, 2024
Merged

Fix audit log for issued access tokens and add refresh token event #774

merged 16 commits into from
Jun 6, 2024

Conversation

federicaagostini
Copy link
Contributor

@federicaagostini federicaagostini commented May 28, 2024
edited by enricovianello
Loading

This PR includes the issued token (AT and/or RT) decoded in an audit event, e.g.

2024-06-06 10:44:27.759  INFO 2366961 --- [nio-8080-exec-3] AUDIT  : {"@type":"RefreshTokenIssuedEvent","timestamp":1717670606979,"category":"TOKEN","principal":"e048abb2-54ec-48b1-af7f-2199d0086feb","message":"Refresh token issued","subject":"e048abb2-54ec-48b1-af7f-2199d0086feb","scopes":["openid","email","offline_access","profile"],"grantType":"client_credentials","payload":{"exp":1720262606976,"jti":"9515d05f-e493-46e2-a622-ed2766b31d19"},"source":"IamTokenService"}
2024-06-06 10:44:27.823  INFO 2366961 --- [nio-8080-exec-3] AUDIT  : {"@type":"AccessTokenIssuedEvent","timestamp":1717670607008,"category":"TOKEN","principal":"e048abb2-54ec-48b1-af7f-2199d0086feb","message":"Access token issued","scopes":["openid","email","offline_access","profile"],"subject":"e048abb2-54ec-48b1-af7f-2199d0086feb","grantType":"client_credentials","header":{"kid":"rsa1","alg":"RS256"},"payload":{"iss":"http://localhost:8080","iat":1717670606982,"exp":1717674206969,"sub":"e048abb2-54ec-48b1-af7f-2199d0086feb","jti":"9d5f9152-5723-4fb6-af45-e8902febdb38","client_id":"e048abb2-54ec-48b1-af7f-2199d0086feb"},"source":"IamTokenService"}

Example of Access Token well-formed AUDIT content:

{
   "@type":"AccessTokenIssuedEvent",
   "timestamp":1717669109480,
   "category":"TOKEN",
   "principal":"client",
   "message":"Access token issued",
   "scopes":[
      "openid",
      "email",
      "profile",
      "offline_access"
   ],
   "subject":"admin",
   "grantType":"authorization_code",
   "header":{
      "kid":"rsa1",
      "alg":"RS256"
   },
   "payload":{
      "iss":"http://localhost:8080",
      "iat":1717669109456,
      "exp":1717672709451,
      "sub":"73f16d93-2441-4a50-88ff-85360d78c6b5",
      "jti":"d9e14923-dd12-4c7a-ab02-335f6044c0c7",
      "client_id":"client"
   },
   "source":"IamTokenService"
}

Example of Refresh Token well-formed AUDIT content:

{
   "@type":"RefreshTokenIssuedEvent",
   "timestamp":1717669109454,
   "category":"TOKEN",
   "principal":"client",
   "message":"Refresh token issued",
   "subject":"admin",
   "scopes":[
      "openid",
      "email",
      "profile",
      "offline_access"
   ],
   "grantType":"authorization_code",
   "payload":{
      "exp":1725656807452,
      "jti":"45eb594f-c5bd-4473-8f4d-9ff1835a3ec1"
   },
   "source":"IamTokenService"
}

Depends on: indigo-iam/OpenID-Connect-Java-Spring-Server#18

giacomini
giacomini reviewed Jun 1, 2024
View reviewed changes
iam-login-service/src/main/java/it/infn/mw/iam/audit/events/tokens/AccessTokenIssuedEvent.java Outdated
private final HeaderDTO header = new HeaderDTO();
private final Map<String, Object> body;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it really needed to keep a HeaderDTO and a Map objects, when at the end we will simply print strings? alternatively, can't we simply keep a reference to the token itself and extract what is needed when the event is used?

@enricovianello enricovianello changed the title Improve audit log for issued JWT tokens Fix audit log for issued access tokens and add refresh token event Jun 5, 2024
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jun 6, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
93.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@federicaagostini federicaagostini merged commit c04852c into develop Jun 6, 2024
4 checks passed
@federicaagostini federicaagostini deleted the audit-jwt branch June 6, 2024 12:15
@federicaagostini federicaagostini mentioned this pull request Jul 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@giacomini giacomini giacomini left review comments

@enricovianello enricovianello enricovianello approved these changes

Assignees
No one assigned
Labels
None yet
Projects
No open projects
v1.9.0
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@federicaagostini @enricovianello @giacomini