Skip to content

Add docs on PAR sensitive values filter, update authorize request sensitive values filter docs #694

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
josephdecock merged 3 commits into from
Apr 30, 2025
Merged

Add docs on PAR sensitive values filter, update authorize request sensitive values filter docs #694

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b19d9ff
Enhance logging documentation for sensitive values filters in Identit…
josephdecock Apr 25, 2025
c09cdef
Update options.md
josephdecock Apr 26, 2025
9596326
Update version numbers
josephdecock Apr 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions src/content/docs/identityserver/reference/options.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -340,15 +340,19 @@ Logging related settings, including filters that will remove sensitive values an

* **`AuthorizeRequestSensitiveValuesFilter`**

Collection of parameter names passed to the authorize endpoint that are considered sensitive and will be excluded from logging. Defaults to `id_token_hint`.
Collection of parameter names passed to the authorize endpoint that are considered sensitive and will be redacted in logs. Note that authorization parameters pushed to the Pushed Authorization Request (PAR) endpoint are eventually handled by the authorize request pipeline. This filter should be configured to exclude sensitive values wether or not they are pushed, and usually should be set to the same value as `PushedAuthorizationSensitiveValuesFilter`. Defaults to `client_secret`, `client_assertion`, `id_token_hint`. The default value was changed in version 7.2.2 to include `client_secret` and `client_assertion`.

* **`PushedAuthorizationSensitiveValuesFilter`**

Collection of parameter names passed to the Pushed Authorization Request (PAR) endpoint that are considered sensitive and will be redacted in logs. Note that authorization parameters pushed to the PAR endpoint are eventually handled by the authorize request pipeline. This filter should be configured to exclude sensitive values that are pushed, and usually should be set to the same value as `AuthorizeRequestSensitiveValuesFilter`. Defaults to `client_secret`, `client_assertion`, `id_token_hint`.

* **`TokenRequestSensitiveValuesFilter`**

Collection of parameter names passed to the token endpoint that are considered sensitive and will be excluded from logging. In `v7.0` and earlier, defaults to `client_secret`, `password`, `client_assertion`, `refresh_token`, and `device_code`. In `v7.1`, `subject_token` is also excluded.
Collection of parameter names passed to the token endpoint that are considered sensitive and will be redacted in logs. In `v7.0` and earlier, defaults to `client_secret`, `password`, `client_assertion`, `refresh_token`, and `device_code`. In `v7.1`, `subject_token` is also excluded.

* **`BackchannelAuthenticationRequestSensitiveValuesFilter`**

Collection of parameter names passed to the backchannel authentication endpoint that are considered sensitive and will be excluded from logging. Defaults to `client_secret`, `client_assertion`, and `id_token_hint`.
Collection of parameter names passed to the backchannel authentication endpoint that are considered sensitive and will be redacted in logs. Defaults to `client_secret`, `client_assertion`, and `id_token_hint`.

* **`UnhandledExceptionLoggingFilter`** (added in `v6.2`)

Expand Down