Hi!
We are interested in using Keycloak for both SSO and as an authorization server, but one key feature we are looking for is audit events, specially for “failed” authentication/authorization requests and detect resource abuse/misuse attempts.
There are LOGIN and LOGIN_ERROR events available to audit successful/failed authentication attempts, so a access_token request like this one
curl --location --request POST 'http://mykeycloak.server:9080/auth/realms/myrealm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=my-client-id' \
--data-urlencode 'client_secret=the-client-secret' \
--data-urlencode 'username=myusername' \
--data-urlencode 'password=mypassword' \
--data-urlencode 'scope=openid'
where all parameters are correct, would generate a LOGIN event that can be seen in the admin interface, and a request like this other one:
curl --location --request POST 'http://mykeycloak.server:9080/auth/realms/myrealm/protocol/openid-connect/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'client_id=my-client-id' \
--data-urlencode 'client_secret=wrong-client-secret' \
--data-urlencode 'username=or-wrong-username' \
--data-urlencode 'password=or-wrong-password' \
--data-urlencode 'scope=openid'
where one or more parameters are incorrect, would generate a LOGIN_ERROR event visible in the admin interface.
That covers the authentication part very well, however, what about RPT requests (the authorization part)? Which are the events that audit successful/failed requests for RPTs such as the next one:
curl --location --request POST 'http://mykeycloak.server:9080/auth/realms/myrealm/protocol/openid-connect/token' \
--header 'Authorization: Bearer somevalidaccess_token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:uma-ticket' \
--data-urlencode 'audience=my-audience' \
--data-urlencode 'permission=myResource#my-scope'
where a RPT is requested using a previously generated access_token.
Enabling ALL the events in the admin interface does not cause audit events to be logged for neither successful or failed requests of this type.
This screenshot shows ALL the available audit events being “enabled”
But as said before, for RPT requests, no events are generated whatsoever.
Is there any other way to get those events logged? The failed ones are of particular importance as we could detect attempts to access privileged resources by unprivileged users.
Any help would be greatly appreciated.