Default log level for openid connect errors.
See original GitHub issueConfirm you’ve already contributed to this project or that you sponsor it
- I confirm I’m a sponsor or a contributor
Version
4.x
Question
Hello @kevinchalet, hope you are doing fine.
I would love to hear your opinion about log levels on errors. Here is a sample for invalid_scope error log:
2023-01-31 09:55:30.921 -05:00 [INF] The authorization request was rejected because the application 'Web' was not allowed to use the 'OrderService' scope.
2023-01-31 09:55:30.921 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateScopePermissions.
2023-01-31 09:55:30.921 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was marked as rejected by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateScopePermissions.
2023-01-31 09:55:30.921 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateAuthorizationRequest.
2023-01-31 09:55:30.921 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was marked as rejected by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateAuthorizationRequest.
2023-01-31 09:55:30.922 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+AttachErrorParameters.
2023-01-31 09:55:30.922 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+AttachCustomErrorParameters.
2023-01-31 09:55:30.924 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+AttachRedirectUri.
2023-01-31 09:55:30.924 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+InferResponseMode.
2023-01-31 09:55:30.924 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+AttachResponseState.
2023-01-31 09:55:30.924 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+AttachIssuer.
2023-01-31 09:55:30.926 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+Authentication+ProcessFormPostResponse.
2023-01-31 09:55:30.926 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+Authentication+ProcessQueryResponse.
2023-01-31 09:55:30.927 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+Authentication+ProcessFragmentResponse.
2023-01-31 09:55:30.927 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachHttpResponseCode`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=4.0.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
2023-01-31 09:55:30.927 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachCacheControlHeader`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=4.0.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
2023-01-31 09:55:30.927 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ProcessStatusCodePagesErrorResponse`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=4.0.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
2023-01-31 09:55:30.929 -05:00 [INF] The response was successfully returned as a plain-text document: {
"error": "invalid_request",
"error_description": "This client application is not allowed to use the specified scope.",
"error_uri": "https://documentation.openiddict.com/errors/ID2051"
}.
2023-01-31 09:55:30.929 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ProcessLocalErrorResponse`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=4.0.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
2023-01-31 09:55:30.929 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was marked as handled by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ProcessLocalErrorResponse`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=4.0.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
Apart from DBG logs, invalid scope error and the response details are logged as information. This is mainly a problem on deployment scenarios where the minimum logging is set to error.
Since they are basically errors, is there a main reason why they are logged as information?
Thanks.
Issue Analytics
- State:
- Created 7 months ago
- Comments:7 (5 by maintainers)
Top Results From Across the Web
Troubleshoot OpenID Connect
Use the following topics to troubleshoot OpenID Connect (OIDC) issues in Tableau ... Check for OpenID errors in the following files in the...
Read more >Troubleshoot OpenID Connect
To help troubleshoot OpenID Connect, set the log level to debug on OpenSearch. Add the following lines in config/log4j2.properties and restart the node:....
Read more >Genero OpenID Connect log file - 4Js
The Genero OpenID Connect implementation produces a log file that helps to identify issues. ... By default, only access and error information are...
Read more >api - What log level should be used for an expected but ...
In my team we are currently building an API gateway, where the client can authenticate themselves with an API key. Naturally the authentication ......
Read more >How to enable logging of OpenID claims including values in ...
This article will help you enable logging values of the supported OpenID claims for troubleshooting purposes when OpenID connect ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@maliming hey.
It’s something that I considered, but I had two problems with this approach:
Warning
(instead ofInformation
) log message as it’s the sign of a very serious security issue)./cc @schmitch @NoahStahl @deanmarcussen would changing the log level to
Warning
be a compromise that could make everyone happy?Moving out of 4.2 as it doesn’t seem there’s a real consensus yet to change the existing log level.
@gterdem log messages are certainly helpful in many cases, but they are sadly not a perfect solution either: think of third-party clients that don’t even have access to the server logs, for instance (and it’s a quite common scenario).
OpenIddict (tries to) return descriptive error messages using standard OAuth 2.0 responses (e.g as a JSON response or via the
WWW-Authenticate
response header for API calls). If it’s not already the case, we may want to check how to surface them to ABP users at the client and resource server levels so they are easier to diagnose.It’s also interesting to note that OpenIddict already returns
error_uri
parameters that point to the OpenIddict website: adding real docs for each error is on my radar (https://github.com/openiddict/openiddict-documentation/issues/30) and I think it could make debugging easier too.