4

I'm using the Spring Boot OAuth2 (https://projects.spring.io/spring-security-oauth/docs/oauth2.html), making my own authorization server.

I haven't found a way to provide a coherent access log for users that hit /oauth/token, I'm wanting both successful and unsuccessful events. I've tried a lot of things, but they don't fulfill my needs in some way.

  • Standard Spring Security AuthenticationSuccessHandler, AuthenticationFailureHandler, AuthenticationEventPublisher, AccessDeniedHandler, or AuthenticationEntryPoint: These don't seem to happen at all.
  • Application events
    • AuthenticationCredentialsNotFoundEvent: This happens, but I don't get any information about the client. Not even the username/client id.
    • ServletRequestHandledEvent: Good stuff, I get all the things, but only fires on success.
    • Spring Boot AuditApplicationEvent: Only happens on failure and the user principle is "unknown". Not even the IP address is available.
  • OAuth2AccessDeniedHandler: This never happens either. I've installed it with the AuthorizationServerSecurityConfigurer, so I'm not sure what's going on with that.

So is there not a way to log what happens? I would think that any security related framework would have something available.

Jeff Walker
  • 1,656
  • 1
  • 18
  • 36
  • 1
    Did you try enabling Debug log? Adding this to properties file logging.level.org.springframework.security.oauth2: DEBUG – SAP Nov 05 '18 at 22:29
  • Nothing interesting, just about the token endpoint being hit. – Jeff Walker Nov 06 '18 at 16:36
  • What are you after? I've seen all authentication/authorization related logs once enabling debug log. – SAP Nov 06 '18 at 21:21
  • Well, I'm wanting to know the client id and where the request came from. I seem to only get the IP when `ServletRequestHandledEvent` serves `/error`. – Jeff Walker Nov 15 '18 at 16:31

0 Answers0