Mar 20th, 2013, 08:41 PM
Logging clientid to an access log?
The OAuth spec recommends that the client id and client secret be validated using Basic Authentication. Assuming we do this in Spring using the Basic Authentication Filter, is there any way to log the client id outside of Spring, for example in the container(ex: tomcat) access logs? Or for that matter is there anyway to log something in the container access log from a value generated within the spring application?
Mar 21st, 2013, 11:19 AM
It is typically not a good idea to include private information within your logging. The documentation for Tomcat access logs describes how you could configure the access logs to include a header value. You can configure it to log the value of the Authorization header which will contain the Base64 encoded value of the client and client secret, but again this is discouraged.
Mar 21st, 2013, 02:58 PM
Thanks, I was hoping that logging just the clientid would be a good way to track/audit calls