Identityserver4: IdentityServer might log tokens in case of error
Hello,
we are using IdentityServer4, v 2.1.3 with ASP.NET Core 2.0.6.
For logging we use Serilog structured logging.
Recently I noticed that in case of authorization errors tokens are also logged.
I don't think it is very safe behavior especially when distributed logging can be used like ELK where anybody can accidentally see issued token.
One particular case we have when using Implicit flow with silent refresh. In case of misconfiguration of silent refresh url AuthorizeRequestValidator logs error with request details which also contains id_token_hint.
In general it might be also more of such places.
Any thoughts on this?
mantasaudickas
All 16 comments
id_tokens are not security sensitive (as opposed to access tokens). But I agree that this could leak personal data.
We'll look into it.
leastprivilege
on 19 Apr 2018
Yes, I agree it is not security sensitive, but having in mind that id_token by default is valid for 5 minutes (http://docs.identityserver.io/en/release/reference/client.html#token), it might be an issue.
Also maybe there are other places where such information might be logged even with access_token..
mantasaudickas
on 19 Apr 2018
We have currently been working on GRDP there was a question posed in a meeting yesterday about the data that is being logged by Ids4. Unfortunately its hard for me to see what is standard logging and what was added by my predisor
info: X.IdentityServer.Services.XClaimsService[0]
Loading Installed App claims for user 21248582 with fiscal of 21880.
I think it would be nice to know what is exactly logged by default and how it may be effected by GRDP. As well as some kind of guidelines of what not to log. Not that i am saying GRDP is the responsibility or a concern of this project but well as a group we could come up with some best practices.
LindaLawton
on 19 Apr 2018
Good idea - do some research and we can incorporate that in docs and future versions.
leastprivilege
on 19 Apr 2018
but having in mind that id_token by default is valid for 5 minutes
Even in that time period it is not security sensitive. But anways - yes - re-working logging is on of our big todo features for 3.0
leastprivilege
on 19 Apr 2018
I have a feeling I just inadvertently volunteered for this task. Documentation is on git right?
LindaLawton
on 19 Apr 2018
I think you did. Do your research first - then we can discuss.
leastprivilege
on 19 Apr 2018
I have a question first. Is it the responsibility of IDs4 to ensure GDPR compliance? or is it up to the developer using IDs4 that what they are doing is GDPR compliant? there is a difference in how we approach this.
I have no use in looking into this I need to anyway for work now that I have spotted it in the logs management knows there is a problem.
LindaLawton
on 19 Apr 2018
That's been a broiling topic for a very long time. See this https://www.splunk.com/en_us/form/how-to-operate-your-siem-under-the-gdpr.html?ac=bing_amer_usa_en_search_generic_security&utm_campaign=bing_amer_usa_en_search_generic_security&utm_source=bing&utm_medium=paidsearch&utm_term=siem&utm_content=laymans_guide_SIEM_GDPR_WP_EN&_bt=71124728250246&msclkid=77c887379deb188cd381ddef48a56766
my own take is that when logs contain personal information (and authN does contain personal information), then the logs need to be strongly protected from disclosure. That means a separate authZ solution for the logs. But to your question, it depends on whether IdSvr is concerned with demos, or with real-world implementations. Real-world implementations do need to consider secure access to the logs.
TomCJones
on 19 Apr 2018
I was more thinking could we / should we prevent some information from being logged?
Example: Google analytics will no longer accept logging of emails they drop the data.
or should we recommend that logs be stored secure and what you choose to log is up to you.
LindaLawton
on 19 Apr 2018
What I was thinking off is to analyze what we are currently logging and point out possible problems so we can address them in the future.
leastprivilege
on 19 Apr 2018
sounds like a good a place to start as any. I have a few hours tomorrow I will start there.
However in the future shouldn't be that far away. If there is something in the logs that is not GDPR compliant i think you should expect to release an upgraded version removing anything non GDPR compliant or some advice for developers in the EU how they are supposed to handle this. The deadline is fast approaching.
LindaLawton
on 19 Apr 2018
CheckSessionEndpoint.cs
29. _logger.LogWarning("Invalid HTTP method for check session endpoint"); CheckSessionEndpoint.cs
34. _logger.LogDebug("Rendering check session result"); CheckSessionEndpoint.cs
DiscoveryEndpoint.cs
36. _logger.LogTrace("Processing discovery request."); DiscoveryEndpoint.cs
41. _logger.LogWarning("Discovery endpoint only supports GET requests"); DiscoveryEndpoint.cs
45. _logger.LogDebug("Start discovery request"); DiscoveryEndpoint.cs
49. _logger.LogInformation("Discovery endpoint disabled. 404."); DiscoveryEndpoint.cs
_logger.LogTrace("Calling into discovery response generator: {type}", _responseGenerator.GetType().FullName);DiscoveryEndpoint.cs
DiscoveryKeyEndpoint.cs
35. _logger.LogTrace("Processing discovery request."); DiscoveryKeyEndpoint.cs
40. _logger.LogWarning("Discovery endpoint only supports GET requests"); DiscoveryKeyEndpoint.cs
44. _logger.LogDebug("Start key discovery request"); DiscoveryKeyEndpoint.cs
48. _logger.LogInformation("Key discovery disabled. 404."); DiscoveryKeyEndpoint.cs
_logger.LogTrace("Calling into discovery response generator: {type}", _responseGenerator.GetType().FullName);DiscoveryKeyEndpoint.cs
EndSessionCallbackEndpoint.cs
37. _logger.LogWarning("Invalid HTTP method for end session callback endpoint."); EndSessionCallbackEndpoint.cs
41. _logger.LogDebug("Processing signout callback request"); EndSessionCallbackEndpoint.cs
48. _logger.LogInformation("Successful signout callback."); EndSessionCallbackEndpoint.cs
_logger.LogDebug("Client front-channel iframe urls: {urls}", result.FrontChannelLogoutUrls);EndSessionCallbackEndpoint.cs
56._logger.LogDebug("No client front-channel iframe urls");EndSessionCallbackEndpoint.cs_logger.LogDebug("Client back-channel iframe urls: {urls}", result.BackChannelLogouts.Select(x=>x.LogoutUri));EndSessionCallbackEndpoint.cs
66._logger.LogDebug("No client back-channel iframe urls");EndSessionCallbackEndpoint.cs
86._logger.LogError(ex, "Error calling backchannel sign-out urls");EndSessionCallbackEndpoint.cs
EndSessionEndpoint.cs
48. _logger.LogWarning("Invalid HTTP method for end session endpoint."); EndSessionEndpoint.cs
_logger.LogDebug("Processing signout request for {subjectId}", user?.GetSubjectId() ?? "anonymous");EndSessionEndpoint.cs_logger.LogError("Error processing end session request {error}", result.Error);EndSessionEndpoint.cs_logger.LogDebug("Success validating end session request from {clientId}", result.ValidatedRequest?.Client?.ClientId);EndSessionEndpoint.cs
IntrospectionEndpoint.cs
59. _logger.LogTrace("Processing introspection request."); IntrospectionEndpoint.cs
64. _logger.LogWarning("Introspection endpoint only supports POST requests"); IntrospectionEndpoint.cs
70. _logger.LogWarning("Invalid media type for introspection endpoint"); IntrospectionEndpoint.cs
79. _logger.LogDebug("Starting introspection request."); IntrospectionEndpoint.cs
85. _logger.LogError("API unauthorized to call introspection endpoint. aborting."); IntrospectionEndpoint.cs
92. _logger.LogError("Malformed request body. aborting."); IntrospectionEndpoint.cs
_logger.LogTrace("Calling into introspection request validator: {type}", _requestValidator.GetType().FullName);IntrospectionEndpoint.cs_logger.LogTrace("Calling into introspection response generator: {type}", _responseGenerator.GetType().FullName);IntrospectionEndpoint.cs_logger.LogInformation("Success token introspection. Token active: {tokenActive}, for API name: {apiName}", tokenActive, apiName);IntrospectionEndpoint.cs_logger.LogError("Failed token introspection: {error}, for API name: {apiName}", error, apiName);IntrospectionEndpoint.cs
TokenEndpoint.cs
61. _logger.LogTrace("Processing token request."); TokenEndpoint.cs
66. _logger.LogWarning("Invalid HTTP request for token endpoint"); TokenEndpoint.cs
75. _logger.LogDebug("Start token request."); TokenEndpoint.cs
_logger.LogTrace("Calling into token request validator: {type}", _requestValidator.GetType().FullName);TokenEndpoint.cs_logger.LogTrace("Calling into token request response generator: {type}", _responseGenerator.GetType().FullName);TokenEndpoint.cs
104._logger.LogDebug("Token request success.");TokenEndpoint.cs_logger.LogTrace("Identity token issued for {clientId} / {subjectId}: {token}", clientId, subjectId, response.IdentityToken);TokenEndpoint.cs_logger.LogTrace("Refresh token issued for {clientId} / {subjectId}: {token}", clientId, subjectId, response.RefreshToken);TokenEndpoint.cs_logger.LogTrace("Access token issued for {clientId} / {subjectId}: {token}", clientId, subjectId, response.AccessToken);TokenEndpoint.cs
TokenRevocationEndpoint.cs
61. _logger.LogTrace("Processing revocation request."); TokenRevocationEndpoint.cs
65. _logger.LogWarning("Invalid HTTP method"); TokenRevocationEndpoint.cs
71. _logger.LogWarning("Invalid media type"); TokenRevocationEndpoint.cs
82. _logger.LogDebug("Start revocation request."); TokenRevocationEndpoint.cs
92. _logger.LogTrace("Client validation successful"); TokenRevocationEndpoint.cs
_logger.LogTrace("Calling into token revocation request validator: {type}", _requestValidator.GetType().FullName);TokenRevocationEndpoint.cs_logger.LogTrace("Calling into token revocation response generator: {type}", _responseGenerator.GetType().FullName);TokenRevocationEndpoint.cs
110._logger.LogInformation("Token successfully revoked");TokenRevocationEndpoint.cs
115._logger.LogInformation("No matching token found");TokenRevocationEndpoint.cs
UserInfoEndpoint.cs
56. _logger.LogWarning("Invalid HTTP method for userinfo endpoint."); UserInfoEndpoint.cs
65. _logger.LogDebug("Start userinfo request"); UserInfoEndpoint.cs
73. _logger.LogError(error); UserInfoEndpoint.cs
_logger.LogTrace("Calling into userinfo request validator: {type}", _requestValidator.GetType().FullName);UserInfoEndpoint.cs
83.//_logger.LogError("Error validating validationResult.Error);UserInfoEndpoint.cs_logger.LogTrace("Calling into userinfo response generator: {type}", _responseGenerator.GetType().FullName);UserInfoEndpoint.cs
91._logger.LogDebug("End userinfo request");UserInfoEndpoint.cs
//_logger.LogDebug("Adding client {0} to client list cookie for subject {1}", request.ClientId, request.Subject.GetSubjectId());AuthorizeResult.cs
123.//_logger.LogError("Unsupported response mode.");AuthorizeResult.cs
_logger.LogDebug("CORS request made for path: {path} from origin: {origin}", path, origin);CorsPolicyProvider.cs_logger.LogDebug("CorsPolicyService allowed origin: {origin}", origin);CorsPolicyProvider.cs_logger.LogWarning("CorsPolicyService did not allow origin: {origin}", origin);CorsPolicyProvider.cs_logger.LogDebug("CORS request made for path: {path} from origin: {origin} but was ignored because path was not for an allowed IdentityServer CORS endpoint", path, origin);CorsPolicyProvider.cs
_logger.LogDebug("Request path {path} matched to endpoint type {endpoint}", context.Request.Path, endpointName);EndpointRouter.cs_logger.LogTrace("No endpoint entry found for request path: {path}", context.Request.Path);EndpointRouter.cs_logger.LogDebug("Endpoint enabled: {endpoint}, successfully created handler: {endpointHandler}", endpoint.Name, endpoint.Handler.FullName);EndpointRouter.cs_logger.LogDebug("Endpoint enabled: {endpoint}, failed to create handler: {endpointHandler}", endpoint.Name, endpoint.Handler.FullName);EndpointRouter.cs_logger.LogWarning("Endpoint disabled: {endpoint}", endpoint.Name);EndpointRouter.cs
IdentityServerAuthenticationService.cs
77. _logger.LogDebug("Augmenting SignInContext"); IdentityServerAuthenticationService.cs
_logger.LogDebug("Removing amr claim with value: {value}", amr.Value);IdentityServerAuthenticationService.cs_logger.LogDebug("Adding idp claim with value: {value}", amr.Value);IdentityServerAuthenticationService.cs_logger.LogDebug("Adding amr claim with value: {value}", Constants.ExternalAuthenticationMethod);IdentityServerAuthenticationService.cs_logger.LogDebug("Adding idp claim with value: {value}", IdentityServerConstants.LocalIdentityProvider);IdentityServerAuthenticationService.cs_logger.LogDebug("Adding amr claim with value: {value}", OidcConstants.AuthenticationMethods.Password);IdentityServerAuthenticationService.cs_logger.LogDebug("Adding amr claim with value: {value}", Constants.ExternalAuthenticationMethod);IdentityServerAuthenticationService.cs_logger.LogDebug("Adding auth_time claim with value: {value}", time);IdentityServerAuthenticationService.cs
_logger.LogInformation("Invoking IdentityServer endpoint: {endpointType} for {url}", endpoint.GetType().FullName, context.Request.Path.ToString());IdentityServerMiddleware.cs_logger.LogTrace("Invoking result: {type}", result.GetType().FullName);IdentityServerMiddleware.cs_logger.LogCritical(ex, "Unhandled exception: {exception}", ex.Message);IdentityServerMiddleware.cs
_logger.LogDebug("Back channel logout for client id: {0} to URI: {1}, result: {2}",BackChannelLogoutClient.cs_logger.LogError(ex, "Exception invoking back channel logout for client id: {0} to URI: {1}", client.ClientId, client.LogoutUri);BackChannelLogoutClient.cs
_logger.LogTrace("Protecting message: {0}", json);MessageCookie.cs
116._logger.LogError(ex, "Error unprotecting message cookie");MessageCookie.cs_logger.LogDebug(e, "Unable to unprotect cookie {0}", name);MessageCookie.cs_logger.LogTrace("Purging stale cookie: {cookieName}", name);MessageCookie.cs
DefaultEventSink.cs
42. _logger.LogInformation(json); DefaultEventSink.cs
DefaultIdentityServerInteractionService.cs
58. _logger.LogTrace("AuthorizationRequest being returned"); DefaultIdentityServerInteractionService.cs
62. _logger.LogTrace("No AuthorizationRequest being returned"); DefaultIdentityServerInteractionService.cs
106. _logger.LogTrace("Error context loaded"); DefaultIdentityServerInteractionService.cs
110. _logger.LogTrace("No error context found"); DefaultIdentityServerInteractionService.cs
115. _logger.LogTrace("No error context found"); DefaultIdentityServerInteractionService.cs
143. _logger.LogTrace("IsValidReturnUrl true"); DefaultIdentityServerInteractionService.cs
147. _logger.LogTrace("IsValidReturnUrl false"); DefaultIdentityServerInteractionService.cs
DefaultPersistedGrantService.cs
95. _logger.LogError(ex, "Failed processing results from grant store."); DefaultPersistedGrantService.cs
DefaultRefreshTokenService.cs
59. _logger.LogDebug("Creating refresh token"); DefaultRefreshTokenService.cs
64. _logger.LogDebug("Setting an absolute lifetime: " + client.AbsoluteRefreshTokenLifetime); DefaultRefreshTokenService.cs
69. _logger.LogDebug("Setting a sliding lifetime: " + client.SlidingRefreshTokenLifetime); DefaultRefreshTokenService.cs
95. _logger.LogDebug("Updating refresh token"); DefaultRefreshTokenService.cs
102. _logger.LogDebug("Token usage is one-time only. Generating new handle"); DefaultRefreshTokenService.cs
113. _logger.LogDebug("Refresh token expiration is sliding - extending lifetime"); DefaultRefreshTokenService.cs
118. _logger.LogDebug("Current lifetime: " + currentLifetime.ToString()); DefaultRefreshTokenService.cs
121. _logger.LogDebug("New lifetime: " + newLifetime.ToString()); DefaultRefreshTokenService.cs
128. _logger.LogDebug("New lifetime exceeds absolute lifetime, capping it to " + newLifetime.ToString()); DefaultRefreshTokenService.cs
138. _logger.LogDebug("Created refresh token in store"); DefaultRefreshTokenService.cs
143. _logger.LogDebug("Updated refresh token in store"); DefaultRefreshTokenService.cs
147. _logger.LogDebug("No updates to refresh token done"); DefaultRefreshTokenService.cs
OidcReturnUrlParser.cs
39. _logger.LogTrace("AuthorizationRequest being returned"); OidcReturnUrlParser.cs
44. _logger.LogTrace("No AuthorizationRequest being returned"); OidcReturnUrlParser.cs
61. _logger.LogTrace("returnUrl is valid"); OidcReturnUrlParser.cs
66. _logger.LogTrace("returnUrl is not valid"); OidcReturnUrlParser.cs
_logger.LogTrace("Calling into client configuration validator: {validatorType}", _validatorType);ValidatingClientStore.cs_logger.LogDebug("client configuration validation for client {clientId} succeeded.", client.ClientId);ValidatingClientStore.cs_logger.LogError("Invalid client configuration for client {clientId}: {errorMessage}", client.ClientId, context.ErrorMessage);ValidatingClientStore.cs
ProtectedDataMessageStore.cs
43. _logger.LogError(ex, "Exception reading protected message"); ProtectedDataMessageStore.cs
63. _logger.LogError(ex, "Exception writing protected message"); ProtectedDataMessageStore.cs
ApiSecretValidator.cs
49. _logger.LogTrace("Start API validation"); ApiSecretValidator.cs
61. _logger.LogError("No API secret found"); ApiSecretValidator.cs
71. _logger.LogError("No API resource with that name found. aborting"); ApiSecretValidator.cs
79. _logger.LogError("API resource not enabled. aborting."); ApiSecretValidator.cs
86. _logger.LogDebug("API resource validation success"); ApiSecretValidator.cs
99. _logger.LogError("API validation failed."); ApiSecretValidator.cs
AuthorizeRequestValidator.cs
54. _logger.LogDebug("Start authorize request protocol validation"); AuthorizeRequestValidator.cs
_logger.LogDebug("Calling into custom validator: {type}", _customValidator.GetType().FullName);AuthorizeRequestValidator.cs
107._logger.LogTrace("Authorize request protocol validation successful");AuthorizeRequestValidator.cs
243._logger.LogDebug("Checking for PKCE parameters");AuthorizeRequestValidator.cs
324._logger.LogDebug("No PKCE used.");AuthorizeRequestValidator.cs
343._logger.LogDebug("Missing code_challenge_method, defaulting to plain");AuthorizeRequestValidator.cs
492._logger.LogDebug("Unsupported prompt mode - ignored: " + prompt);AuthorizeRequestValidator.cs
522._logger.LogDebug("Unsupported display mode - ignored: " + display);AuthorizeRequestValidator.cs_logger.LogWarning("idp requested ({idp}) is not in client restriction list.", idp);AuthorizeRequestValidator.cs_logger.LogError(message + "\n{requestDetails}", requestDetails);AuthorizeRequestValidator.cs_logger.LogError(message + ": {detail}\n{requestDetails}", detail, requestDetails);AuthorizeRequestValidator.cs
BasicAuthenticationSecretParser.cs
53. _logger.LogDebug("Start parsing Basic Authentication secret"); BasicAuthenticationSecretParser.cs
78. _logger.LogWarning("Malformed Basic Authentication credential."); BasicAuthenticationSecretParser.cs
83. _logger.LogWarning("Malformed Basic Authentication credential."); BasicAuthenticationSecretParser.cs
90. _logger.LogWarning("Malformed Basic Authentication credential."); BasicAuthenticationSecretParser.cs
102. _logger.LogWarning("Client ID or secret exceeds allowed length."); BasicAuthenticationSecretParser.cs
116. _logger.LogDebug("No Basic Authentication secret found"); BasicAuthenticationSecretParser.cs
BearerTokenUsageValidator.cs
40. _logger.LogDebug("Bearer token found in header"); BearerTokenUsageValidator.cs
49. _logger.LogDebug("Bearer token found in body"); BearerTokenUsageValidator.cs
54. _logger.LogDebug("Bearer token not found"); BearerTokenUsageValidator.cs
_logger.LogTrace("Unexpected header format: {header}", header);BearerTokenUsageValidator.cs
ClientSecretValidator.cs
50. _logger.LogDebug("Start client validation"); ClientSecretValidator.cs
62. _logger.LogError("No client identifier found"); ClientSecretValidator.cs
_logger.LogError("No client with id '{clientId}' found. aborting", parsedSecret.Id);ClientSecretValidator.cs
78._logger.LogDebug("Public Client - skipping secret validation success");ClientSecretValidator.cs_logger.LogError("Client secret validation failed for client: {clientId}.", client.ClientId);ClientSecretValidator.cs
92._logger.LogDebug("Client validation success");ClientSecretValidator.cs
EndSessionRequestValidator.cs
57. _logger.LogDebug("Start end session request validation"); EndSessionRequestValidator.cs
_logger.LogInformation(message + Environment.NewLine + "{details}", log);EndSessionRequestValidator.cs
148._logger.LogInformation(message);EndSessionRequestValidator.cs_logger.LogInformation("End session request validation success" + Environment.NewLine + "{details}", log);EndSessionRequestValidator.cs_logger.LogDebug("Client front-channel logout URLs: {0}", msg);EndSessionRequestValidator.cs
239._logger.LogDebug("No client front-channel logout URLs");EndSessionRequestValidator.cs_logger.LogDebug("Client back-channel logout URLs: {0}", msg);EndSessionRequestValidator.cs
249._logger.LogDebug("No client back-channel logout URLs");EndSessionRequestValidator.cs
ExtensionGrantValidator.cs
61. _logger.LogError("No validator found for grant type"); ExtensionGrantValidator.cs
_logger.LogTrace("Calling into custom grant validator: {type}", validator.GetType().FullName);ExtensionGrantValidator.cs_logger.LogError(1, e, "Grant validation error: {message}", e.Message);ExtensionGrantValidator.cs
HashedSharedSecretValidator.cs
_logger.LogDebug("Hashed shared secret validator cannot process {type}", parsedSecret.Type ?? "null");HashedSharedSecretValidator.cs
55._logger.LogDebug("No shared secret configured for client.");HashedSharedSecretValidator.cs_logger.LogInformation("Secret: {description} uses invalid hashing algorithm.", secretDescription);HashedSharedSecretValidator.cs_logger.LogInformation("Secret: {description} uses invalid hashing algorithm.", secretDescription);HashedSharedSecretValidator.cs
106._logger.LogDebug("No matching hashed secret found.");HashedSharedSecretValidator.cs
IntrospectionRequestValidator.cs
40. _logger.LogDebug("Introspection request validation started."); IntrospectionRequestValidator.cs
46. _logger.LogError("Token is missing"); IntrospectionRequestValidator.cs
62. _logger.LogDebug("Token is invalid."); IntrospectionRequestValidator.cs
73. _logger.LogDebug("Introspection request validation successful."); IntrospectionRequestValidator.cs
JwtBearerClientAssertionSecretParser.cs
55. _logger.LogDebug("Start parsing for JWT client assertion in post body"); JwtBearerClientAssertionSecretParser.cs
59. _logger.LogDebug("Content type is not a form"); JwtBearerClientAssertionSecretParser.cs
75. _logger.LogError("Client assertion token exceeds maximum lenght."); JwtBearerClientAssertionSecretParser.cs
87. _logger.LogError("Client ID exceeds maximum lenght."); JwtBearerClientAssertionSecretParser.cs
102. _logger.LogDebug("No JWT client assertion found in post body"); JwtBearerClientAssertionSecretParser.cs
115. _logger.LogWarning("Could not parse client assertion", e); JwtBearerClientAssertionSecretParser.cs
NotSupportedResouceOwnerCredentialValidator.cs
37. _logger.LogInformation("Resource owner password credential type not supported. Configure an IResourceOwnerPasswordValidator."); NotSupportedResouceOwnerCredentialValidator.cs
PlainTextSharedSecretValidator.cs
_logger.LogError("Parsed secret should not be of type: {type}", parsedSecret.Type ?? "null");PlainTextSharedSecretValidator.cs
55._logger.LogDebug("No shared secret configured for client.");PlainTextSharedSecretValidator.cs
77._logger.LogDebug("No matching plain text secret found.");PlainTextSharedSecretValidator.cs
PostBodySecretParser.cs
52. _logger.LogDebug("Start parsing for secret in post body"); PostBodySecretParser.cs
56. _logger.LogDebug("Content type is not a form"); PostBodySecretParser.cs
72. _logger.LogError("Client ID exceeds maximum length."); PostBodySecretParser.cs
80. _logger.LogError("Client secret exceeds maximum length."); PostBodySecretParser.cs
94. _logger.LogDebug("client id without secret found"); PostBodySecretParser.cs
105. _logger.LogDebug("No secret in post body found"); PostBodySecretParser.cs
PrivateKeyJwtSecretValidator.cs
59. _logger.LogError("ParsedSecret.Credential is not a string."); PrivateKeyJwtSecretValidator.cs
72. _logger.LogError(e, "Could not parse assertion as JWT token"); PrivateKeyJwtSecretValidator.cs
78. _logger.LogError("There are no certificates available to validate client assertion."); PrivateKeyJwtSecretValidator.cs
104. _logger.LogError("Both 'sub' and 'iss' in the client assertion token must have a value of client_id."); PrivateKeyJwtSecretValidator.cs
112. _logger.LogError(e, "JWT token validation error"); PrivateKeyJwtSecretValidator.cs
126. _logger.LogWarning("Cannot validate client assertion token using only thumbprint. Client must be configured with X509CertificateBase64 secret."); PrivateKeyJwtSecretValidator.cs
149. _logger.LogWarning("Could not read certificate from string: " + value); PrivateKeyJwtSecretValidator.cs
_logger.LogError("Scope disabled: {requestedScope}", requestedScope);ScopeValidator.cs_logger.LogError("Invalid scope: {requestedScope}", requestedScope);ScopeValidator.cs_logger.LogError("API {api} that contains scope is disabled: {requestedScope}", api.Name, requestedScope);ScopeValidator.cs_logger.LogError("Invalid scope: {requestedScope}", requestedScope);ScopeValidator.cs_logger.LogError("offline_access is not allowed for this client: {client}", client.ClientId);ScopeValidator.cs_logger.LogError("Requested scope not allowed: {scope}", scope);ScopeValidator.cs_logger.LogError("Requested scope not allowed: {scope}", scope);ScopeValidator.cs
253._logger.LogError("Requests for id_token response type must include identity scopes");ScopeValidator.cs
260._logger.LogError("Requests for id_token response type only must not include resource scopes");ScopeValidator.cs
267._logger.LogError("Requests for token response type only must include resource scopes, but no identity scopes.");ScopeValidator.cs
_logger.LogDebug("Parser found secret: {type}", parser.GetType().Name);SecretParser.cs_logger.LogDebug("Secret id found: {id}", bestSecret.Id);SecretParser.cs
64._logger.LogDebug("Parser found no secret");SecretParser.cs
ex => _logger.LogWarning("Secret [{description}] is expired", ex.Description ?? "no description"));SecretValidator.cs_logger.LogDebug("Secret validator success: {0}", validator.GetType().Name);SecretValidator.cs
68._logger.LogDebug("Secret validators could not validate secret");SecretValidator.cs
StrictRedirectUriValidatorAppAuth.cs
70. _logger.LogDebug("Checking for 127.0.0.1 redirect URI"); StrictRedirectUriValidatorAppAuth.cs
76. _logger.LogDebug("invalid format - http://127.0.0.1:port is required."); StrictRedirectUriValidatorAppAuth.cs
83. _logger.LogDebug("invalid format - http://127.0.0.1:port is required."); StrictRedirectUriValidatorAppAuth.cs
92. _logger.LogDebug("invalid port"); StrictRedirectUriValidatorAppAuth.cs
TokenRequestValidator.cs
82. _logger.LogDebug("Start token request validation"); TokenRequestValidator.cs
_logger.LogTrace("Calling into custom request validator: {type}", _customRequestValidator.GetType().FullName);TokenRequestValidator.cs
174._logger.LogDebug("Start validation of authorization code token request");TokenRequestValidator.cs
280._logger.LogDebug("Client required a proof key for code exchange. Starting PKCE validation");TokenRequestValidator.cs
311._logger.LogDebug("Validation of authorization code token request success");TokenRequestValidator.cs
318._logger.LogDebug("Start client credentials token request validation");TokenRequestValidator.cs_logger.LogDebug("{clientId} credentials token request validation success", _validatedRequest.Client.ClientId);TokenRequestValidator.cs
355._logger.LogDebug("Start resource owner password token request validation");TokenRequestValidator.cs
457._logger.LogDebug("Resource owner password token request validation success.");TokenRequestValidator.cs
463._logger.LogDebug("Start validation of refresh token request");TokenRequestValidator.cs
490._logger.LogDebug("Validation of refresh token request success");TokenRequestValidator.cs
496._logger.LogDebug("Start validation of custom grant token request");TokenRequestValidator.cs
572._logger.LogDebug("Validation of extension grant token request success");TokenRequestValidator.cs
582._logger.LogTrace("Client provided no scopes - checking allowed scopes list");TokenRequestValidator.cs_logger.LogTrace("Defaulting to: {scopes}", scopes);TokenRequestValidator.cs
698._logger.LogError(message, values);TokenRequestValidator.cs_logger.LogError("Error logging {exception}", ex.Message);TokenRequestValidator.cs_logger.LogError("{details}", details);TokenRequestValidator.cs
716._logger.LogInformation(message, values);TokenRequestValidator.cs_logger.LogError("Error logging {exception}", ex.Message);TokenRequestValidator.cs_logger.LogInformation("{details}", details);TokenRequestValidator.cs_logger.LogInformation("Token request validation success\n{details}", details);TokenRequestValidator.cs
TokenRevocationRequestValidator.cs
45. _logger.LogTrace("ValidateRequestAsync called"); TokenRevocationRequestValidator.cs
49. _logger.LogError("no parameters passed"); TokenRevocationRequestValidator.cs
55. _logger.LogError("no client passed"); TokenRevocationRequestValidator.cs
65. _logger.LogError("No token found in request"); TokenRevocationRequestValidator.cs
_logger.LogDebug("Token type hint found in request: {tokenTypeHint}", hint);TokenRevocationRequestValidator.cs_logger.LogError("Invalid token type hint: {tokenTypeHint}", hint);TokenRevocationRequestValidator.cs_logger.LogDebug("ValidateRequestAsync result: {validateRequestResult}", result);TokenRevocationRequestValidator.cs
TokenValidator.cs
67. _logger.LogDebug("Start identity token validation"); TokenValidator.cs
71. _logger.LogError("JWT too long"); TokenValidator.cs
81. _logger.LogError("No clientId supplied, can't find id in identity token."); TokenValidator.cs
_logger.LogError("Unknown or disabled client: {clientId}.", clientId);TokenValidator.cs_logger.LogDebug("Client found: {clientId} / {clientName}", client.ClientId, client.ClientName);TokenValidator.cs_logger.LogError("User marked as not active: {subject}", subClaim.Value);TokenValidator.cs_logger.LogDebug("Calling into custom token validator: {type}", _customValidator.GetType().FullName);TokenValidator.cs
150._logger.LogTrace("Start access token validation");TokenValidator.cs
161._logger.LogError("JWT too long");TokenValidator.cs
181._logger.LogError("token handle too long");TokenValidator.cs_logger.LogError("Client deleted or disabled: {clientId}", clientClaim.Value);TokenValidator.cs_logger.LogError("User marked as not active: {subject}", subClaim.Value);TokenValidator.cs_logger.LogDebug("Calling into custom token validator: {type}", _customValidator.GetType().FullName);TokenValidator.cs_logger.LogError(ex, "JWT token validation error: {exception}", ex.Message);TokenValidator.cs
369._logger.LogTrace("Start refresh token validation");TokenValidator.cs
377._logger.LogError("Invalid refresh token");TokenValidator.cs
386._logger.LogError("Refresh token has expired. Removing from store.");TokenValidator.cs_logger.LogError("{0} tries to refresh token belonging to {1}", client.ClientId, refreshToken.ClientId);TokenValidator.cs_logger.LogError("{clientId} does not have access to offline_access scope anymore", client.ClientId);TokenValidator.cs_logger.LogError("{subjectId} has been disabled", refreshToken.Subject.GetSubjectId());TokenValidator.cs_logger.LogError(ex, "Malformed JWT token: {exception}", ex.Message);TokenValidator.cs_logger.LogError(message + "\n{logMessage}", _log);TokenValidator.cs_logger.LogDebug("Token validation success\n{logMessage}", _log);TokenValidator.cs
UserInfoRequestValidator.cs
67. _logger.LogError("Token contains no sub claim"); UserInfoRequestValidator.cs
_logger.LogError("User is not active: {sub}", subject.GetSubjectId());UserInfoRequestValidator.cs
LindaLawton
on 20 Apr 2018
I wrote a quick console app that reads all the files and searches for _loggerfile size 56k That's the contents. I have taken an executive decision and declared vars are ok by default
TokenRequestValidator.cs#L731 Do we have an issue with this line? It outputs a refresh token.
TokenValidator.cs#L399 Not really sure we want something like that logged.
Side comment a number of them could be cleaned up to use $ - string interpolation
LindaLawton
on 20 Apr 2018
I removed the potential id_token_hint from the authorize log.
https://github.com/IdentityServer/IdentityServer4/commit/82f130c7065240660cd5d2b3123478a515b12e8d
Anything else? For 2.3 we can't go through all possible logging scenarios - but now is the time to make some changes for the next minor release.
leastprivilege
on 31 Jul 2018
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 13 Jan 2020
Related issues
not-good-with-usernames
路
3Comments
nukec
路
3Comments
leastprivilege
路
3Comments
wangkanai
路
3Comments
user1336
路
3Comments
Most helpful comment
I removed the potential id_token_hint from the authorize log.
https://github.com/IdentityServer/IdentityServer4/commit/82f130c7065240660cd5d2b3123478a515b12e8d
Anything else? For 2.3 we can't go through all possible logging scenarios - but now is the time to make some changes for the next minor release.