What information is logged by IdentityModel when ShowPii is set to true?

Question

IdentityModelEventSource has a property called ShowPII that means that Personally Identifiable Information will be added to the logs (in relation to security). This value is used to decide when to log some OAuth2 sensitive data.

I am trying to understand what kind of Personally Identifiable Information will be logged:

• Client ID? (aka Client Key, Consumer Key)
• Client Secret? (aka Consumer Secret)
• Json Web Tokens? (aka JWT)
• Access Tokens?
• Refresh Tokens?
• Kerberos Tickets?
• PKCE Values?
• Authorization Codes?

I know it cannot get access to usernames and passwords because they are only exchanged directly with the IDP.

But but I need to know if I need to find a way to lock down my log files because it will have data that constitutes a security vulnerability.

Answer 1

This is possible log messages of IdentityModel: LogMessages.cs

About

I am trying to understand what kind of Personally Identifiable Information will be logged

I won't copy-paste log messages from there (especially, as they can change at any moment). You can check them yourself and decide what should be considered as the PII.

But here's an interesting example:

"IDX10615: Encryption failed. No support for: Algorithm: '{0}', SecurityKey: '{1}'."

and this is how it's used:

throw LogHelper.LogExceptionMessage(new SecurityTokenEncryptionFailedException(LogHelper.FormatInvariant(TokenLogMessages.IDX10615, encryptingCredentials.Enc, encryptingCredentials.Key)));

If you'll follow the track you'll find out that encryptingCredentials.Key will be logged if ShowPII = true and won't be logged if ShowPII = false.

Of course, depending on your use case, this particular message may never appear in your logs. And not all messages so outrageously leaky. But you never know:

1. your use case may change
2. you may be mistaken about the set of messages IdentityModel can emit for your use case
3. IdentityModel code may change, and you may forget to check if messages' set is still secure

So about

if I need to find a way to lock down my log files

Yes, you definitely need to.

Or better yet - don't use ShowPII = true in production for monitoring, use it only in development environment for debugging purposes.

Answer 2

Looking at the source, it appears that when ShowPII is on - it will do two things:

1. Replace all parameters passed to library-specific exceptions with their data type names
2. For all system exceptions - replace inner message with exception type name

In this context "library-specific" is an exception that is of type Exception and its full type name starts with "Microsoft.IdentityModel." (library defines a few)

Depending on your use case you'd see a variety of parameters that can be logged with custom exceptions. A quick search for FormatInvariant yields quite a few for your consideration.

Again, depending on how you use it, you might get a better idea of what the error messages are by looking through relevant LogMessages.cs file on your specific namespace.

---

P.S.: on a side note, it appears that default ShowPII setting is GDPR-compliant