Is it ok to write OidC Bearer token to log?

Question

During development we added to error logs details of http requests, including headers, to have better understanding for error investigation. Our architect pointed that we should not place sensitive information in logs. My question was should we consider bearer token as highly sensitive information taking into account that access token is short-lived object.

The recommendations from The OAuth 2.0 Authorization Framework: Bearer Token Usage :

If bearer tokens are passed in page URLs, attackers might be able to steal them from the history data, logs, or other unsecured locations.

I assume that recording the tokens into error logs is also not recommended.

However Asp.Net Core generates Information messages, that includes bearer token (both encoded and in JSON)

2017-09-15 08:32:42.571 +00:00 [Information] Failed to validate the token "eyJ0eXAiOiJKV1QiLCJhb(I've truncated the token but full token can be decoded in JWT.io)". Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10501: Signature validation failed. Unable to match 'kid': 'HHByKU-0DqAxxx', token: '{"alg":"RS256","typ":"JWT","x5t":"HHByKU-0DqAxxx","kid":"HHByKU-0DqAxxx"}.{"aud":"https://webjet.group/eb694f3a-xxx","iss":"https://sts.windows.net/5de0e68cxxx","iat":1505464062,"nbf":1505464062,"exp":1505467962,"acr":"1","aio":"ASQAxxx","amr":["pwd"],"appid":"cc9aa533-xxx","appidacr":"1","e_exp":262800,"family_name":"Freidgeim","given_name":"Michael","groups":[xxx]","2d62738a-xxx"],"in_corp":"true","ipaddr":"121.1.1.1","name":"Michael Freidgeim","oid":"138f5eca-xxx","onprem_sid":"S-1-5-21-xxx","roles":["UATAdmin"],"scp":"user_impersonation","sub":"vTFBQRxxx","tid":"5de0e68c-xxx","unique_name":"Michael.Freidgeim@xxx","upn":"Michael.Freidgeim@xxx","ver":"1.0"}'. at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.< HandleAuthenticateAsync>d__1.MoveNext()

Does it means that the risk is not so big, because Microsoft consider it acceptable to include in logs?

Or should we exclude Microsoft/System Information LogLevel from logs? It will be quite restrictive, as we are using information logs for investigation, as well as for some monitoring/stats(such as number of logins).

What is the recommended approach regarding storing tokens into logs if we want to satisfy both security and investigation requirements?

Answer 1

If part of the framework is logging INFO messages I would suppress those in a production environment. Chances are in the example given above it would also log a less verbose ERROR level entry?

Answer 2

It may be a good idea to split the data into operational and SIEM logs, with different access restrictions. That way you can investigate most issues without risk of leaking PII or security information. Because that is your two worries; that the log reveals quite a bit of personal information a out your users, and the tokens are effectively valid passwords (bearer authorizations) until they expire. We only log the token ID (jit) to operational logs, but keep the full token in a secure event store in case the full token is necessary for investigation.