authorization category
This log category contains all business requests concerning JWT authorization tokens that enable checks to be run to see whether the user is authorized or not.
Verify action 
The verify action means that an authorization token has just been validated. It generates an "info" severity log if the token is valid, or a "notice" severity log if it is invalid.
The log fields for this action are as follows:
|
Field |
Description |
Type |
Mandatory/Optional |
|---|---|---|---|
|
tenant_id |
Tenant identifier. Example: 025f02fe-bee2-444b-bf76-b5ead30327c0 |
String in uuid v4 format | Mandatory |
|
jwk |
Information concerning the JWK used to validate the token. |
Object | Mandatory |
|
jwt |
Token content. |
Object | Mandatory |
|
valid |
Checking token legitimacy. Prescribed values:
|
Boolean | Mandatory |
|
type |
Token type. Prescribed values:
|
String | Mandatory |
|
details |
Additional message describing the cause of the token refusal. Present only when the token is invalid: Example: JWT expired |
String | Optional |
JWKS object description
|
Field |
Description |
Type |
Mandatory/Optional |
|---|---|---|---|
|
kid |
Key identifier. Example: 87bbe0815b064e6d449cac999f0e50e72a3e4374 |
String | Mandatory |
|
alg |
Algorithm used. Prescribed value:
|
String | Mandatory |
JWT object description
|
Field |
Description |
Type |
Mandatory/Optional |
|---|---|---|---|
|
|
Email address of the user concerned by the token. Example: alice.dupont@gmail.com |
String | Mandatory |
|
iss |
Service that generates the token (issuer). Example: https://google.onelogin.com/ |
String | Mandatory |
|
aud |
Token recipient (audience). Example: a7cb5600-cbb0-023b-531e-02449949762c38534 |
String array | Mandatory |
|
exp |
Expiry time after which the JWT must no longer be accepted. In the form of a timestamp in seconds. Example: 1720542398 |
Integer | Mandatory |
|
role |
Role of the user. Example: reader |
String | Mandatory |
|
iat |
Token creation date (issued at). In the form of a timestamp in seconds. Example: 1720535198 |
Integer | Optional |
|
resource_name |
Token resource identifier, for kacls_to_kacls tokens only. Example: //googleapis.com/drive/files/1OJsaKJM5JES1yi79QCKx-13wOR1i8JPU |
String | Optional |
|
perimeter_id |
Identifier to perform a check on authorization requests. Example: 22041999 |
String | Optional |
|
kacls_url |
KACLS URL, for kacls_to_kacls tokens only. Example: https://cse.mysds.io/api/v1/f438ae27-f33d-1fa3-b1e2-efc4d7635684 |
String | Optional |
|
email_type |
Origin of the user's email address. Example: "google" |
String | Optional |
|
message_id |
Identifier of the message on which the signature or decryption operation has been performed. Example: <CADBpGcUzg2iGuYyRoGkQg4F8sHXNoQtxbSxS7OiyJg |
String | Optional |
|
spki_hash_algorithm |
Algorithm used to produce the spki_hash. Example: SHA-256 |
String | Optional |
|
spki_hash |
base64 digest of the public key. Example: YSBzcGtpIGhhc2ggb2YgdGhlIHB1YmxpYyBrZXk= |
String | Optional |
|
number_of_custom_claims |
Number of custom claims contained in the token. Example: 1 |
Integer | Mandatory |