IINM the requirement here is to log the token generation event, not resource access with the generated token. Therefore access log won't be the correct place. This should be ideally logged in a separate log file, but we would have to use the audit log file because that's the existing option we have.
However, not all customers will require this. This will in fact grow the audit log rapidly. So this should be configurable. On Mon, Aug 6, 2018 at 3:30 PM, Ruwan Abeykoon <[email protected]> wrote: > HI Rushmin, > It is valid requirement to log the information. > Access log is the the right place for this kind of logs, as it logs > who/what accessed the Application with token. > > Audit log in contrast logs who did what modification at what resource. > > Cheers. > Ruwan > > On Mon, Aug 6, 2018 at 1:36 PM Rushmin Fernando <[email protected]> wrote: > >> It is a valid requirement for a production deployment to publish/log >> context data during the operations like OAuth token generation. >> >> As of now, we don't log these audio data. One close existing candidate is >> HTTP access logs. But it doesn't contain any context information like >> client ID. >> >> What we can do is, use an audit logger in relevant classes and start >> logging the data. >> >> Do we have any concerns with this? >> >> -- >> *Best Regards* >> >> *Rushmin Fernando* >> *Technical Lead* >> >> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >> >> mobile : +94775615183 >> >> >> > > -- > > *Ruwan Abeykoon* > *Associate Director/Architect**,* > *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * > *lean.enterprise.middleware.* > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Thanks & Regards, Dulanja Liyanage Lead, Platform Security Team WSO2 Inc.
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
