It is helpful to identify request users in app logs using SLF4J MDC. Currently, the mechanism is generic and also rather blind. Since "principal" is an Object, the MDC handler simply calls principal.toString():
// in PrincipalMDC.java
MDC.put(MDC_KEY, String.valueOf(principal));
In case of JwtPrincipal, toString() returns sub claim, which is pretty universal and stable for each client or user token. But it is often not traceable back to the actual account (at least with MS Entra IDP), making logs much less useful. Would be great to have a custom mechanism for MDC identifier extraction out of JWTs.
Perhaps let's do the same thing we did for roles - a custom parser factory:
shirojwt:
trustedServers:
s1:
roles:
type: jsonList
claim: rolesIn case of MDC config, it might look like:
shirojwt:
trustedServers:
s1:
principalId:
type: myIdExtractor # the default would be "sub" claim
It is helpful to identify request users in app logs using SLF4J MDC. Currently, the mechanism is generic and also rather blind. Since "principal" is an Object, the MDC handler simply calls
principal.toString():In case of
JwtPrincipal,toString()returnssubclaim, which is pretty universal and stable for each client or user token. But it is often not traceable back to the actual account (at least with MS Entra IDP), making logs much less useful. Would be great to have a custom mechanism for MDC identifier extraction out of JWTs.Perhaps let's do the same thing we did for roles - a custom parser factory:
In case of MDC config, it might look like: