oidc audit log

Thu Apr 21 12:54:57 UTC 2022

 Hello,

OIDC plugin uses standard shibboleth logs. We use shib-idp-auditlog plugin
for statistic of logins but with OIDC plugin we get bad user login count but
there are more lines and shib-idp-auditlog plugin is not adapted for this.

There is audit.log with OIDC authentication. It contains 4 lines to
successfully authenticate user for one RP:

2022-04-01T13:12:03,194+0200|AuthenticationRequest||xxxx|http://shibboleth.n
et/ns/profiles/oidc/sso/browser|xxxx|AuthenticationSuccessResponse||xxxx|||x
xxx|||pairwise|xxxx|

2022-04-01T13:12:04,397+0200|TokenRequest||xxx|http://shibboleth.net/ns/prof
iles/oidc/sso/browser|https://xxxx||xxxx||at_hash,sub,aud,auth_time,iss,exp,
iat,nonce|xxxx||||xxxx|

2022-04-13T19:25:09,861+0200|KeySet|||http://shibboleth.net/ns/profiles/oidc
/keyset||||||||||||

2022-04-01T13:12:04,968+0200|UserInfoRequest||xxxx|http://shibboleth.net/ns/
profiles/oidc/userinfo|https://xxxx
|UserInfoSuccessResponse||xxxx||sub,preferred_username_scope,name,preferred_
username,given_name,family_name,email|xxxx||||xxxx|

My questions:

1.	Is it possible to use separate logs for OIDC processes ? 
2.	Is it possible to log only one line UserInfoRequest into audit.logs
?
3.	There are in audit.xml and logback.xml customized settings for OIDC
loging ?

I can write substitute a new script shib-idp-auditlog but i would like to
know if it is possible to separate saml and oidc audit or other logs

Thank you

MP

Configuration:

idp_version: 4.1.4

installed plugins:

net.shibboleth.idp.plugin.oidc.op Version 3.0.4

net.shibboleth.oidc.common Version 1.1.0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220421/851fd328/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6784 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20220421/851fd328/attachment.p7s>