Monitoring the Authorization Server
HTTP Monitoring
There are two ways of confirming that FPX Authorization server is functioning properly. First is through a public HTTP endpoint that will signify that the application is running properly. This can be made using the following endpoint:
/.well-known/fpx/version
This should return a HTTP 200 Status code. Additional endpoints do exist that can be used to test functionality of the authorization server that do not require authentication such as the public registry endpoints, however these should be avoided as their use can cause additional load on the server.
Logs
The logs output by the Authorization Server can also be used to monitor the usage of the Authorization Server. It is important to monitor all instances of the AS that are running and aggregate the logs into a SEM product of choice.
Alert Levels
Logs will include two pieces of information including alert level and error code that can be used to analyse the logs. Alert level can be extracted using the regular expression
Alert\-Level: [1,2,3]
As an example:
01-10-2020 20:43:10.469 [https-jsse-nio-8080-exec-7] ERROR audit.error - Activity: GET https://authserver.identos.ca/registry/resource/resource_definition/identos-client, Alert-Level: 1, Message: No such resource identos-client found, Code: 40280, Request-Address: 100.117.182.129
Alert Level
There are three different alert levels that can be generated:
- Level 1: malicious user or simple security breach attempt (eg: invalid username/password combo), incorrect configuration.
- Level 2: partner using bad program logic (no such permission), bad state (resource does not exist), more serious bad configuration (IDP signature incorrect), authenticated user with bad data
- Level 3: bad state, bad configuration, authenticated user or system attempting dangerous action (scope was not requested/authorized), potential malicious actor successfully impersonating user/system (refresh token has already been refreshed).
Alert levels of three should triggered action to remedy and/or investigate the the issue.
Authorization Server Exception Types
The following table lists the different Exception Type messages that are part of the Authorization Server log output along with the alert severity levels:
| Alert Level | Error Code | Description |
|---|---|---|
| 1 | 39900 | "Code Challenge Method must be SHA256" |
| 1 | 39901 | "Code Challenge must be long and unique" |
| 1 | 39902 | "Only Public Clients may use PKCE" |
| 3 | 39903 | "A different Client started this Transaction" |
| 3 | 39904 | "Code Verifier does not match Code Challenge" |
| 1 | 40010 | "An internal server error occurred: {0}" |
| 0 | 40450 | "Malformed application/x-www-form-urlencoded request" |
| 1 | 40020 | "Bad request." |
| 1 | 40030 | "Agent did not have a JWK set registered." |
| 1 | 40040 | "The client specified by this id was not valid: {0}" |
| 2 | 40041 | "The client specified by this id is not set up as an UMA client: {0}" |
| 1 | 40050 | "The client credentials were not valid: {0}" |
| 1 | 40052 | "This ticket must be sent to the token endpoint before claims gathering can begin." |
| 2 | 40051 | "The client has not authorized this redirect uri: {0}" |
| 1 | 40080 | "Registration was unsuccessful with status: {0}" |
| 1 | 40090 | "Authentication was unsuccessful with status: {0}" |
| 2 | 40100 | "Webauthn challenge has disappeared unexepectedly" |
| 3 | 40108 | "jti has already been redeemed" |
| 2 | 40109 | "jti claim must be present in jwt" |
| 1 | 40110 | "Agent is not registered." |
| 2 | 40111 | "This OAuth client is not registered as an Agent: {0}" |
| 1 | 40120 | "Issuer does not match JWT." |
| 1 | 40130 | "The identity request is invalid: {0}" |
| 1 | 40131 | "The Agent encountered an error during claims-gathering: {0}" |
| 1 | 40140 | "The IDP is invalid: {0}" |
| 1 | 40190 | "The access token is invalid: {0}" |
| 1 | 40200 | "The access token is expired {0}." |
| 2 | 40210 | IDNException.REFRESH_MESSAGE |
| 1 | 40210 | IDNException.REFRESH_MESSAGE |
| 2 | 40210 | IDNException.REFRESH_MESSAGE |
| 3 | 40240 | "The scope was not required in the ticket: {0}" |
| 2 | 40250 | "The Resource Server does not provide the {0} scope" |
| 1 | 40260 | "No such request found" |
| 1 | 40270 | "a matched provider was not owned by this user" |
| 1 | 40280 | "No such resource {0} found" |
| 2 | 40290 | "This client is not set up as a Resource Server: {0}" |
| 1 | 40291 | "access token is no longer valid" |
| 1 | 40300 | "No scope named {0} found" |
| 1 | 40310 | "The scope {0} is not allowed to be used on this resource type" |
| 1 | 40330 | "Unable to parse the RegResponse." |
| 1 | 40340 | "Unable to parse the AuthResponse" |
| 1 | 40350 | "The header was malformed: {0}" |
| 1 | 40360 | "The given parameters were invalid." |
| 1 | 40370 | "The identity registration failed a validation: {0}" |
| 1 | 40380 | "The identity response could not be parsed." |
| 1 | 40420 | "The uma authentication request was malformed." |
| 1 | 40440 | "No such ticket {0} found" |
| 1 | 40450 | "ticket {0} has been redeemed or is not the most recent ticket" |
| 3 | 40460 | "ticket {0} was redeemed by another client" |
| 2 | 40470 | "no access to a permission with this id" |
| 1 | 40502 | "permission/permissions were not found" |
| 1 | 40500 | "The id_token was invalid: {0}." |
| 3 | 40501 | "The permission uses a resource type not requested in the ticket." |
| 3 | 40510 | "The permission ticket was created in an unknown way." |
| 1 | 40511 | "The permission ticket was not found." |
| 1 | 40530 | "The requested resource capability was not found." |
| 1 | 40530 | "The resource was not found for resource server {0} and resource definition of type {1}." |
| 1 | 40540 | "The requested permission was not found." |
| 1 | 40560 | "nothing was granted" |
| 2 | 40580 | "The JWT could not be parsed" |
| 3 | 40590 | "Client is not able to request the requested resource" |
| 1 | 40600 | "Unauthorized access to Capability Ticket {0} by Client {1}" |
| 3 | 40610 | "Token {0} does not belong to and cannot be used by Client {1}" |
| 1 | 40620 | "Invalid grant type {0}" |
| 1 | 40621 | "Only public clients can use implicit flow" |
| 1 | 40630 | "Client does not use a client secret for authentication" |
| 3 | 40640 | "Authorization code was not found" |
| 3 | 40650 | "Unauthorized access to Authorization Code by Client {0}" |
| 1 | 40660 | "Authorization code has expired" |
| 1 | 40670 | "Authorization code has already been redeemed" |
| 1 | 40710 | "Unsupported authentication protocol." |
| 1 | 40711 | "Cannot {0} - The operation is invalid or unimplemented." |
| 1 | 40720 | "Audience not registered." |
| 1 | 40720 | "No resource definition of the type {0} has been found" |
| 1 | 40720 | "Non unique resource found which is of definition {0} and protected by RS {1}" |
| 3 | 40730 | "No data converter is suitable to convert the data to or from the internal data format. = {0}" |
| 1 | 40720 | "Resource of type {0} is invalid." |
| 0* | 40720 | "The requested scope is currently not supported {0}" |
| 1 | 40720 | "The value type for optional claim [{0}] has not been registered" |
| 0* | 40520 | "No such language translation found for key : {0} " |
| 0* | 50530 | "The locale {0} is not supported" |
| 0* | 50080 | "No message content found from localization entries for key {0} and language {1}" |
| 1 | 40420 | "The Request ID is invalid." |
| 1 | 40500 | "The login hint {0} is invalid." |
The Alert Level of 0 indicates an informational message and does not have any severity level associated with it.