-
Notifications
You must be signed in to change notification settings - Fork 401
PII
By default, we do not include any potential PII (personally identifiable information) in our exceptions in order to be in compliance with GDPR.
If you need to see the full information present in exceptions, please set IdentityModelEventSource.ShowPII to true.
IdentityModelEventSource.ShowPII = true;
By default, the logger will not log the complete token for security purposes.
- For SecurityToken: A new interface is introduced: Microsoft.IdentityModel.Logging.ISafeLogSecurityArtifact with a single method UnsafeToString(). SecurityToken will implementations (JsonWebToken, JwtSecurityToken,SAML, etc.) the interface and will provide an implementation of UnsafeToString() to return the complete encoded token.
NOTE: The ToString() method is used for return the encoded token without signature or authentication tag.
- For type of object that is not able modified (such as ‘string’): Struct SecurityArtifact can be used to wrap the object and provide a callback to Log appropriately.
LogHelper.MarkAsSecurityArtifact(EncodedToken, ToString callback)
If you need to log the complete token in logs when ShowPII is set to true, please setIdentityModelEventSource.LogCompleteSecurityArtifact to true.
IdentityModelEventSource.LogCompleteSecurityArtifact = true;
Conceptual Documentation
- Using TokenValidationParameters.ValidateIssuerSigningKey
- Scenarios
- Validating tokens
- Outbound policy claim type mapping
- How ASP.NET Core uses Microsoft.IdentityModel extensions for .NET
- Using a custom CryptoProvider
- SignedHttpRequest aka PoP (Proof-of-Possession)
- Creating and Validating JWEs (Json Web Encryptions)
- Caching in Microsoft.IdentityModel
- Resiliency on metadata refresh
- Use KeyVault extensions
- Signing key roll over