Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Default log level for openid connect errors.

See original GitHub issue

Confirm you’ve already contributed to this project or that you sponsor it

I confirm I’m a sponsor or a contributor

Version

4.x

Question

Hello @kevinchalet, hope you are doing fine.

I would love to hear your opinion about log levels on errors. Here is a sample for invalid_scope error log:

2023-01-31 09:55:30.921 -05:00 [INF] The authorization request was rejected because the application 'Web' was not allowed to use the 'OrderService' scope.
2023-01-31 09:55:30.921 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateScopePermissions.
2023-01-31 09:55:30.921 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was marked as rejected by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateScopePermissions.
2023-01-31 09:55:30.921 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateAuthorizationRequest.
2023-01-31 09:55:30.921 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was marked as rejected by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateAuthorizationRequest.
2023-01-31 09:55:30.922 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+AttachErrorParameters.
2023-01-31 09:55:30.922 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+AttachCustomErrorParameters.
2023-01-31 09:55:30.924 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+AttachRedirectUri.
2023-01-31 09:55:30.924 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+InferResponseMode.
2023-01-31 09:55:30.924 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+AttachResponseState.
2023-01-31 09:55:30.924 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+AttachIssuer.
2023-01-31 09:55:30.926 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+Authentication+ProcessFormPostResponse.
2023-01-31 09:55:30.926 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+Authentication+ProcessQueryResponse.
2023-01-31 09:55:30.927 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+Authentication+ProcessFragmentResponse.
2023-01-31 09:55:30.927 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachHttpResponseCode`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=4.0.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
2023-01-31 09:55:30.927 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachCacheControlHeader`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=4.0.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
2023-01-31 09:55:30.927 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ProcessStatusCodePagesErrorResponse`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=4.0.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
2023-01-31 09:55:30.929 -05:00 [INF] The response was successfully returned as a plain-text document: {
  "error": "invalid_request",
  "error_description": "This client application is not allowed to use the specified scope.",
  "error_uri": "https://documentation.openiddict.com/errors/ID2051"
}.
2023-01-31 09:55:30.929 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ProcessLocalErrorResponse`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=4.0.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
2023-01-31 09:55:30.929 -05:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was marked as handled by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ProcessLocalErrorResponse`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=4.0.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].

Apart from DBG logs, invalid scope error and the response details are logged as information. This is mainly a problem on deployment scenarios where the minimum logging is set to error.

Since they are basically errors, is there a main reason why they are logged as information?

Thanks.

Issue Analytics

State:
Created 7 months ago
Comments:7 (5 by maintainers)

Top GitHub Comments

2reactions

kevinchaletcommented, Feb 7, 2023

@maliming hey.

It’s something that I considered, but I had two problems with this approach:

It’s an extremely unusual approach (I haven’t seen it anywhere in .NET/ASP.NET Core).
It can very quickly become a nightmare to maintain as there are request rejections that need a higher log level than the other ones (e.g if you send a refresh token that is bound to a different client, the request is rejected with a Warning (instead of Information) log message as it’s the sign of a very serious security issue).

/cc @schmitch @NoahStahl @deanmarcussen would changing the log level to Warning be a compromise that could make everyone happy?

0reactions

kevinchaletcommented, Mar 24, 2023

Moving out of 4.2 as it doesn’t seem there’s a real consensus yet to change the existing log level.

@gterdem log messages are certainly helpful in many cases, but they are sadly not a perfect solution either: think of third-party clients that don’t even have access to the server logs, for instance (and it’s a quite common scenario).

OpenIddict (tries to) return descriptive error messages using standard OAuth 2.0 responses (e.g as a JSON response or via the WWW-Authenticate response header for API calls). If it’s not already the case, we may want to check how to surface them to ABP users at the client and resource server levels so they are easier to diagnose.

It’s also interesting to note that OpenIddict already returns error_uri parameters that point to the OpenIddict website: adding real docs for each error is on my radar (https://github.com/openiddict/openiddict-documentation/issues/30) and I think it could make debugging easier too.

Top Results From Across the Web

Troubleshoot OpenID Connect

Use the following topics to troubleshoot OpenID Connect (OIDC) issues in Tableau ... Check for OpenID errors in the following files in the...

Troubleshoot OpenID Connect

To help troubleshoot OpenID Connect, set the log level to debug on OpenSearch. Add the following lines in config/log4j2.properties and restart the node:....

Genero OpenID Connect log file - 4Js

The Genero OpenID Connect implementation produces a log file that helps to identify issues. ... By default, only access and error information are...

api - What log level should be used for an expected but ...

In my team we are currently building an API gateway, where the client can authenticate themselves with an API key. Naturally the authentication ......

How to enable logging of OpenID claims including values in ...

This article will help you enable logging values of the supported OpenID claims for troubleshooting purposes when OpenID connect ...