up
This commit is contained in:
Vladimir Moushkov
@@ -15,7 +15,7 @@ Audit events share the `StellaOps.Cryptography.Audit.AuthEventRecord` contract.
|
||||
- `Client` — `AuthEventClient` with client identifier, display name, and originating provider/plugin.
|
||||
- `Scopes` — granted or requested OAuth scopes (sorted before emission).
|
||||
- `Network` — `AuthEventNetwork` with remote address, forwarded headers, and user agent string (all treated as PII).
|
||||
- `Properties` — additional `AuthEventProperty` entries for context-specific details (lockout durations, policy decisions, retries, etc.).
|
||||
- `Properties` — additional `AuthEventProperty` entries for context-specific details (lockout durations, policy decisions, retries, `request.tampered`/`request.unexpected_parameter`, `bootstrap.invite_token`, etc.).
|
||||
|
||||
## Data Classifications
|
||||
|
||||
@@ -33,7 +33,13 @@ Event names follow dotted notation:
|
||||
|
||||
- `authority.password.grant` — password grant handled by OpenIddict.
|
||||
- `authority.client_credentials.grant` — client credential grant handling.
|
||||
- `authority.token.tamper` — suspicious `/token` request detected (unexpected parameters or manipulated payload).
|
||||
- `authority.bootstrap.user` and `authority.bootstrap.client` — bootstrap API operations.
|
||||
- `authority.bootstrap.invite.created` — operator created a bootstrap invite.
|
||||
- `authority.bootstrap.invite.consumed` — invite consumed during user/client provisioning.
|
||||
- `authority.bootstrap.invite.expired` — invite expired without being used.
|
||||
- `authority.bootstrap.invite.rejected` — invite was rejected (invalid, mismatched provider/target, or already consumed).
|
||||
- `authority.token.replay.suspected` — replay heuristics detected a token being used from a new device fingerprint.
|
||||
- Future additions should preserve the `authority.<surface>.<action>` pattern to keep filtering deterministic.
|
||||
|
||||
## Persistence
|
||||
|
||||
Reference in New Issue
Block a user