Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Track refresh tokens in access token AUDIT logs #838

Merged
merged 4 commits into from
Sep 19, 2024
Merged

Conversation

rmiccoli
Copy link
Contributor

@rmiccoli rmiccoli commented Sep 2, 2024

In particular, expose the jti (JWT ID) of the refresh token.
We'll see the refreshTokenJti claim in the access token AUDIT log.

Example:

2024-09-02 15:29:00.687  INFO 81282 --- [io-8080-exec-10] AUDIT                                    : {"@type":"AccessTokenIssuedEvent","timestamp":1725283740682,"category":"TOKEN","principal":"client","message":"Issue access token","scopes":["openid","profile","offline_access","scim:read","scim:write","iam:admin.read","iam:admin.write"],"subject":"admin","grantType":"authorization_code","header":{"kid":"rsa1","alg":"RS256"},"payload":{"iss":"http://localhost:8080","iat":1725283740633,"exp":1725287340609,"sub":"73f16d93-2441-4a50-88ff-85360d78c6b5","jti":"f3b6255d-f8f3-48fe-8eba-92139ae35abf","client_id":"client","groups":[],"preferred_username":"admin","organisation_name":"indigo-dc","name":"Admin User"},"refreshTokenJti":"2c2583ab-0e9e-4c4d-a329-a449509782b1","source":"IamTokenService"}

@rmiccoli rmiccoli linked an issue Sep 2, 2024 that may be closed by this pull request
Copy link
Member

@enricovianello enricovianello left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You added a test for the ParseException but we can also add a test that checks the getRefreshTokenJti works and returns the same refresh token JTI. Probably this can be done extending some other test, but a dedicated test probably is better. In any case the fix seems ok to me.

Copy link

@enricovianello enricovianello self-requested a review September 19, 2024 20:24
@enricovianello enricovianello merged commit db2ee2c into develop Sep 19, 2024
4 checks passed
@enricovianello enricovianello deleted the issue-829 branch September 19, 2024 20:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Missing Tracking of Refresh Tokens in Audit Logs
2 participants