Audit logging in Rauthy

[kentdpa]

Hi

I am looking to use Rathy in an embedded environment and it's looking good.

I will use it by fetching a tokens via OIDC and OAuth2.0. I am testing with Authorization code flow and Client credentials flow.
This works fine and I get id_token and access_token.

One of my requirements is to produce an audit logs.
I need to be able to log

• When a user logs in, including which user that logged in and fetched a token by the Authorization code flow
• When a machine fetches an token through Client credentials flow

I have read the documentation around audit logging and get the output on the CLI.
But I am missing the information about which used who logged in.
It mentions that logging also goes into the database and I have viewed the database file state_machine/db/hiqlite.db but cannot find which table that contains the log.
I have also noticed there is a folder logs that contain a .wal and a .hql file. But I don't know how to read this files.

Any information to help me to view the historical logs would help me.

Many thanks!

[sebadob]

The general idea how to do auditing in Rauthy is via Events. However, currently Events are not generated every time a new token is being issued. User login information is saved into the users table. You will find the the last successful login, failed login attempts since the last success, and how many fails.

Events are not generated on purpose right now, because a successful login is usually nothing you want to be notified about and it would spam you like crazy if you have a huge amount of users. Fails generate events though. The only thing that does not have a proper event yet is when there was a login from a new location, but this can only be created properly, if you either provide Geolocation info via headers, or if you use the internernal GeoDB with a maxmind account.

Would it be sufficient for you to have failed logins and also login from new locations, or do you strictly need each login? If so, I could maybe make this configurable and opt-out of "just another normal login" events.

[sebadob]

In any case, you can now do it: https://github.com/sebadob/rauthy/releases/tag/v0.32.2

If you want to do this from an external source, I suggest you to create an API Key with read capabilitites for events. You can then even stream them in realtime.

[kentdpa]

Many thanks

I will try to test it as soon as I can.

[kentdpa]

By the way.
I really like Rathy a lot.

[kentdpa]

Hi
This worked really well, so many thanks for your quick response.
Is it possible to add the IP address to indicate who has acquired the token?

Many thanks!

[sebadob]

Is it possible to add the IP address to indicate who has acquired the token?

Possible yes, but not really helpful. It would usually be just spam of the exact same IP over and over again. You would not see the IP of the users device, but of the actual client. This is most often even a private IP from an internal network.

There is no way that someone can spoof a client because of param validation in different places. The only exception here would be a SPA that finished the token flow inside the browser with a public client and the PKCE flow. However, this is extremely rare and would only be used for clients that don't even have any backend at all. In addition, this client would only be allowed to redirect to a valid location, so even though it could be the client of the users device, it does not provide you any real additional information.

So, while the client cannot be hijacked or spoofed, you would see the users IP during session creation. If a user logs in from an unknown location / IP, you would get an event. Here it makes sense to log the IP, because you would always see to actual user device.

I thought about a page in the Admin UI where you can see all currently known locations and IPs for a user. But this is a future TODO.