From b19d9ffe70ab9b18a76dcacd0994a4326df659da Mon Sep 17 00:00:00 2001
From: Joe DeCock <josephdecock@gmail.com>
Date: Fri, 25 Apr 2025 17:40:04 -0500
Subject: [PATCH 1/3] Enhance logging documentation for sensitive values
 filters in IdentityServer options

---
 src/content/docs/identityserver/reference/options.md | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/content/docs/identityserver/reference/options.md b/src/content/docs/identityserver/reference/options.md
index 03a924cf..a483b300 100644
--- a/src/content/docs/identityserver/reference/options.md
+++ b/src/content/docs/identityserver/reference/options.md
@@ -340,15 +340,19 @@ Logging related settings, including filters that will remove sensitive values an
 
 * **`AuthorizeRequestSensitiveValuesFilter`**
     
-    Collection of parameter names passed to the authorize endpoint that are considered sensitive and will be excluded from logging. Defaults to `id_token_hint`.
+    Collection of parameter names passed to the authorize endpoint that are considered sensitive and will be redacted in logs. Note that authorization parameters pushed to the Pushed Authorization Request (PAR) endpoint are eventually handled by the authorize request pipeline. This filter should be configured to exclude sensitive values wether or not they are pushed, and usually should be set to the same value as `PushedAuthorizationSensitiveValuesFilter`. Defaults to `client_secret`, `client_assertion`, `id_token_hint`.
+
+* **`PushedAuthorizationSensitiveValuesFilter`**
+    
+    Collection of parameter names passed to the Pushed Authorization Request (PAR) endpoint that are considered sensitive and will be redacted in logs. Note that authorization parameters pushed to the PAR endpoint are eventually handled by the authorize request pipeline. This filter should be configured to exclude sensitive values that are pushed, and usually should be set to the same value as `AuthorizeRequestSensitiveValuesFilter`. Defaults to `client_secret`, `client_assertion`, `id_token_hint`.
 
 * **`TokenRequestSensitiveValuesFilter`**
     
-    Collection of parameter names passed to the token endpoint that are considered sensitive and will be excluded from logging. In `v7.0` and earlier, defaults to `client_secret`, `password`, `client_assertion`, `refresh_token`, and `device_code`. In `v7.1`, `subject_token` is also excluded.
+    Collection of parameter names passed to the token endpoint that are considered sensitive and will be redacted in logs. In `v7.0` and earlier, defaults to `client_secret`, `password`, `client_assertion`, `refresh_token`, and `device_code`. In `v7.1`, `subject_token` is also excluded.
 
 * **`BackchannelAuthenticationRequestSensitiveValuesFilter`**
   
-    Collection of parameter names passed to the backchannel authentication endpoint that are considered sensitive and will be excluded from logging. Defaults to `client_secret`, `client_assertion`, and `id_token_hint`.
+    Collection of parameter names passed to the backchannel authentication endpoint that are considered sensitive and will be redacted in logs. Defaults to `client_secret`, `client_assertion`, and `id_token_hint`.
 
 * **`UnhandledExceptionLoggingFilter`** (added in `v6.2`)
   

From c09cdeffa6494ebae257b074c45d174b8706f262 Mon Sep 17 00:00:00 2001
From: Joe DeCock <josephdecock@gmail.com>
Date: Sat, 26 Apr 2025 08:45:14 -0500
Subject: [PATCH 2/3] Update options.md

---
 src/content/docs/identityserver/reference/options.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/identityserver/reference/options.md b/src/content/docs/identityserver/reference/options.md
index a483b300..864f5b7d 100644
--- a/src/content/docs/identityserver/reference/options.md
+++ b/src/content/docs/identityserver/reference/options.md
@@ -340,7 +340,7 @@ Logging related settings, including filters that will remove sensitive values an
 
 * **`AuthorizeRequestSensitiveValuesFilter`**
     
-    Collection of parameter names passed to the authorize endpoint that are considered sensitive and will be redacted in logs. Note that authorization parameters pushed to the Pushed Authorization Request (PAR) endpoint are eventually handled by the authorize request pipeline. This filter should be configured to exclude sensitive values wether or not they are pushed, and usually should be set to the same value as `PushedAuthorizationSensitiveValuesFilter`. Defaults to `client_secret`, `client_assertion`, `id_token_hint`.
+    Collection of parameter names passed to the authorize endpoint that are considered sensitive and will be redacted in logs. Note that authorization parameters pushed to the Pushed Authorization Request (PAR) endpoint are eventually handled by the authorize request pipeline. This filter should be configured to exclude sensitive values wether or not they are pushed, and usually should be set to the same value as `PushedAuthorizationSensitiveValuesFilter`. Defaults to `client_secret`, `client_assertion`, `id_token_hint`. The default value was changed in versions 7.2.2, 7.1.2, and 7.0.9 to include `client_secret` and `client_assertion`. 
 
 * **`PushedAuthorizationSensitiveValuesFilter`**
     

From 9596326b107777a1c036bdc92d3c6b3121d1c5f5 Mon Sep 17 00:00:00 2001
From: Joe DeCock <josephdecock@gmail.com>
Date: Tue, 29 Apr 2025 23:12:40 -0500
Subject: [PATCH 3/3] Update version numbers

---
 src/content/docs/identityserver/reference/options.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/identityserver/reference/options.md b/src/content/docs/identityserver/reference/options.md
index 864f5b7d..2ee9958f 100644
--- a/src/content/docs/identityserver/reference/options.md
+++ b/src/content/docs/identityserver/reference/options.md
@@ -340,7 +340,7 @@ Logging related settings, including filters that will remove sensitive values an
 
 * **`AuthorizeRequestSensitiveValuesFilter`**
     
-    Collection of parameter names passed to the authorize endpoint that are considered sensitive and will be redacted in logs. Note that authorization parameters pushed to the Pushed Authorization Request (PAR) endpoint are eventually handled by the authorize request pipeline. This filter should be configured to exclude sensitive values wether or not they are pushed, and usually should be set to the same value as `PushedAuthorizationSensitiveValuesFilter`. Defaults to `client_secret`, `client_assertion`, `id_token_hint`. The default value was changed in versions 7.2.2, 7.1.2, and 7.0.9 to include `client_secret` and `client_assertion`. 
+    Collection of parameter names passed to the authorize endpoint that are considered sensitive and will be redacted in logs. Note that authorization parameters pushed to the Pushed Authorization Request (PAR) endpoint are eventually handled by the authorize request pipeline. This filter should be configured to exclude sensitive values wether or not they are pushed, and usually should be set to the same value as `PushedAuthorizationSensitiveValuesFilter`. Defaults to `client_secret`, `client_assertion`, `id_token_hint`. The default value was changed in version 7.2.2 to include `client_secret` and `client_assertion`. 
 
 * **`PushedAuthorizationSensitiveValuesFilter`**