Include issued token details in /oauth/token logs (!201668) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

Adds the issued token ID, application ID, scopes and the grant type used to the logging payload on successful /oauth/token requests.

How to set up and validate locally

Testing using ROPC authentication flow with a registered application:

Create an OAuth application with the api scope and any redirect URL in your GDK at http://gdk.test:3000/-/user_settings/applications

Make a successful request to /oauth/token using a curl command similar to below:

curl --json '{"client_id": "aclientid", "client_secret": "aclientid", "grant_type": "password", "username": "auser", "password": "theirpassword"}' http://gdk.test:3000/oauth/token

Observe the newly added properties in log/development_json.log (excerpt of properties given below)

{"method":"POST","path":"/oauth/token","oauth_access_token_id":70,"oauth_access_token_application_id":2,"oauth_access_token_scopes":"api","oauth_access_token_grant_type":"password"}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Include issued token details in /oauth/token logs

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports