Product: TIBCO Spotfire®
How to enable logging of OpenID claims including values in TIBCO Spotfire Server.
Since the OpenID claims likely contain personal data (PII), and may contain other security-sensitive information, they are not logged by default in the TIBCO Spotfire Server server.log. If TRACE logging is enabled prior to TIBCO Spotfire Server 10.9, Spotfire logs the names of available claims in OpenID Connect ID tokens and UserInfo endpoint responses.
Refer to KB 000041759 How to find the supported claims in Identity provider that can be used in TIBCO Spotfire Server OpenID Configuration to find the supported claims in Identity provider that can be used in TIBCO Spotfire Server OpenID configuration. To aid in setup and troubleshooting, it is now possible to enable logging of claims including values by setting the security.oidc.log-claim-values configuration property to true (the default is false).
- If the property is set to true then all claims (including values) in ID tokens and UserInfo Endpoint responses will be logged (on INFO level).
- If the property is set to false then only the names of claims will be logged (on TRACE level), just like mentioned in KB 000041759 How to find the supported claims in Identity provider that can be used in TIBCO Spotfire Server OpenID Configuration .
- Export current server configuration using CLI command export-config
- Run the following command to enable logging of claims including values
>config.bat set-config-prop --name=security.oidc.log-claim-values --value=true
- Import configuration back to the database using import-config command.
>config.bat import-config -c "Enabled logging of Claims values"
- Restart the Spotfire Server Service.