authentication category

This category of logs contains all the business requests concerning JWT authentication tokens. These are generated by a third-party tool and guarantee the user's identity.

Verify action

The verify action means that a JWT authentication token has just been validated. It generates an "info" severity log if the token is valid, or a "notice" severity log if it is invalid.

The log fields for this action are as follows:

Field	Description	Type	Mandatory/Optional
tenant_id	Tenant identifier. Example: 025f02fe-bee2-444b-bf76-b5ead30327c0	String in uuid v4 format	Mandatory
jwk	Information concerning the JWK used to validate the token. See JWK object description.	Object	Mandatory
jwt	Token content. See JWT object description.	Object	Mandatory
valid	Checking token legitimacy. Prescribed values: true false	Boolean	Mandatory
source	JWK configuration source. Prescribed values: local_configuration remote_well_known_cse_configuration	String	Mandatory
type	Token type. Prescribed values: user_authentication admin_authentication kacsl-to-kacls_authentication wrapprivatekey_authentication delegate_authentication	String	Mandatory
details	Additional message describing the cause of the token refusal. Present only when the token is invalid: Example: JWT expired	String	Optional

JWK object description

Field	Description	Type	Mandatory/Optional
kid	Key identifier. Example: 87bbe0815b064e6d449cac999f0e50e72a3e4374	String	Mandatory
alg	Algorithm used. Prescribed value: RS256	String	Mandatory/

Field

Description

Type

Mandatory/Optional

kid

Key identifier.

Example: 87bbe0815b064e6d449cac999f0e50e72a3e4374

String

Mandatory

alg

Algorithm used.

Prescribed value:

RS256

String

Mandatory/

JWT object description

Field	Description	Type	Mandatory/Optional
email	Email address of the user concerned by the token. Example: alice.dupont@gmail.com	String	Mandatory
google_email	User's Google account email address. This field is always absent in the case of a digest action. Example: alice.google@gmail.com	String	Optional
iss	Service that generates the token (issuer). Example: https://google.onelogin.com/	String	Mandatory
aud	Token recipient (audience). Example: a7cb5600-cbb0-023b-531e-02449949762c38534	String array	Mandatory
exp	Expiry time after which the JWT must no longer be accepted. In the form of a timestamp in seconds. Example: 1720542398	Integer	Mandatory
iat	Token creation date (issued at). In the form of a timestamp in seconds. Example: 1720535198	Integer	Mandatory
number_of_custom_claims	Number of custom claims contained in the token. Example: 1	Integer	Mandatory
kacls_url	KACLS URL, for kacls_to_kacls tokens only. Example: https://cse.mysds.io/api/v1/f438ae27-f33d-1fa3-b1e2-efc4d7635684	String	Optional
resource_name	Token resource identifier, for kacls_to_kacls tokens only. Example: //googleapis.com/drive/files/1OJsaKJM5JES1yi79QCKx-13wOR1i8JPU	String	Optional