Auditing requests for Oauth2 Tokens

nick_lomax24 · May 31, 2023, 4:43pm

Product/components used and version/fix level are you on:

API Gateway 10.11.0.14.328

Detailed explanation of the problem:

We have configure oauth2 using the Local Authorization server in API Gateway We would like to log successful getToken requests / refresh Tokens?
It will log in the failure case, but not in the success case.

I have updated the logging configuration in the Integration server to enable the Security Logger and selected all Security Areas to Audit.
This has generated a log, with information when I successfully log into the GUI, but not when I get an Oauth token.

Does anyone know if this is possible?

Error messages / full error message screenshot / log fileL

No error log

Is your question related to the free trial, or to a production (customer) instance?

Customer instance

Have you installed all the latest fixes for the products and systems you are using?

No

Vikash_Sharma1 · June 26, 2023, 8:13am

hi @nick_lomax24 ,
We dont provide the option to log the token as it is security breach.

Regards
Vikash Sharma

nick_lomax24 · June 26, 2023, 2:05pm

Hi Vikash,

Apologies, I should have updated the forum. I did manage to get it to work. Configuring the security log in the API GW gui, followed by an update in the integration server console to ensure Authentication and Authorization was selected worked.

I did find if I just updated it in the Integration server only, the configuration was lost when stopping and starting the integration server.

We can see success and failure of authentication when obtaining the token.

However, I do not obtain failed authorisation issues being logged. eg Asking for a scope you don’t have or not exists, as well as calling an API with a bearer token with the wrong scope.

I have set the server extended setting watt.server.oauth.log.authErrors to true and the error log is set for file.

According to the manual, I was expecting authorisation failure to be logged in the error log: Other errors, do appear in the error log, but not oauth authorisation ones.

Important Considerations for Using OAuth Features (softwareag.com)

This is what it says in the manual:
For OAuth authorization failures to appear in the error log, the watt.server.oauth.log.authErrors server configuration parameter must be set to true. By default, this parameter is set to false, meaning Integration Server does not write OAuth authorization errors to any log.

Is what I am trying to do considered to be an OAuth authorization failure?

system · December 23, 2023, 2:05pm

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.