Logging OIDC response?

Henri Mikkonen henri.mikkonen at csc.fi
Tue Aug 3 12:18:03 UTC 2021

Hi Jim,

With the following logger element in the logback configuration, you should be able to log all the responses returned by the OIDC endpoints:

   <logger name="net.shibboleth.idp.plugin.oidc.op.encoding.impl.NimbusResponseEncoder" level="ALL" />

Depending on the RP configuration, both id_token and user info response may be encrypted though, but with the most typical configurations they're not. You can exploit services such as jwt.io to get a human-readable version of id_token.


----- Original Message -----
From: "Jim Tomlinson" <jim7 at uw.edu>
To: "Shib Users" <users at shibboleth.net>
Sent: Thursday, 29 July, 2021 21:56:33
Subject: Logging OIDC response?

I'm obviously looking in all the wrong docs; a pointer would be appreciated.
I'm trying to diagnose an issue an OIDC client is having with our Shib 4.1.0 IdP's auth response (they're receiving a multi-value claim as a space-separated list, rather than a JSON array, and yeah, I've specified "asArray="true" in the AttributeEncoder element). I'm having problems getting the IdP to fully log that response, unencrypted. I've cranked pretty much everything up to TRACE in logback.xml (including net.shibboleth.oidc.attribute.transcoding, net.shibboleth.oidc.jwk.support, net.shibboleth.oidc.security.jwt.claims.impl, net.shibboleth.oidc.metadata.impl and net.shibboleth.oidc.metadata.keyinfo.ext.impl.provider), to no avail.
Any pointers on how to accomplish that? Thanks.
Jim Tomlinson (he/him)
Software Engineer, Identity and Access Management
UW Information Technology
University of Washington

For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list