Detailed logging and tracing of the OpenIDConnect method for the following transactions can be enabled:
- Token request
Additionally, if there is no id_token returned with the access_token (or id_token has otherwise been disabled using none algorithm), also the following
- Userinfo request
- Introspection request
To enable tracing:
On each node, modify ubilogin/ubilogin-sso/webapps/uas/WEB-INF/log4j.properties
Add the following line
and redeploy the applications on each node
Protocol logger must be set to DEBUG.
To do this, in Ubilogin Management, from the Logging tab, verify that
Server Instance: UAS,
Logging level: diag.protocol is set to level Debug.
After this change has been made, additional logging is made in this uas3_diag log.
Outbound requests can be seen, search for "HttpRequestImpl HttpRequest.invoke()"
Authorization request object is logged after possible encryption.
For token and other requests, only the GET or POST request and parameters are logged, not the request body. The responses are not logged.
If the system is configured only to sign request objects, the request JWT can be decoded and examined.
Debugging encrypted request objects
To debug outbound requests to a partner that requires encryption, the only option is disable encryption temporarily to capture the outbound format. The receiving party may or may not reject the request depending on their security requirements.
When registering the OpenIDConnect method, make sure that signing is on:
and that encryption is turned off by removing the following two keys from the JSON metadata: