[FEATURE/Extension] Audit log entry for OBO token generation

[RyanL1997]

Description

After the JwtVendor has generated an OBO token, it's essential that we link the audit log to track its usage, along with any specific information pertaining to this token.

Some of the information that should be traceable:

• cluster identifier
• extension/service identifier
• expiry
• specific actions that this token is used for

Exit Criteria

• Enable and Disable of audit logging
• The log of the generation of the token (including: timestamp and issuance)

[davidlago]

We need to better understand what compliance requirements look like around these new use cases.

[peternied]

Cannot make progress on this item until [1] is resolved

• [1] Audit log entry requirements for OBO tokens #3202

[davidlago]

Resolving #3098, but removing triaged label from this issue to signal that requirements are still needed in its description.

[setiah]

This seems to be coming from Extensions and not a standalone user request. @dagneyb if you have an opinion from extensions pov.
I suggest starting with basic auditing support on token usage. Some ideas below -

• Auditing events: associated with OBO token usage, such as issuance, validation and revocation (if supported). Log these events with associated metadata like user, IP address and timestamp.
• Configurable: provide option to enable/disable OBO usage auditing. (default - enabled)
• Documentation: ensure these changes are captured as part of security documentation.

We can evolve this in future as we get more incremental user feedback around this.

[peternied]

@RyanL1997 from what @setiah has added here, I think adding an audit category, and then adding another task for the documentation and what we have above should be all we need. What do you think?

If you think so can you update this issue and the related issues?

[stephen-crawford]

[Triage] Just following up @RyanL1997. Thank you!

[stephen-crawford]

[Triage] Hi @RyanL1997, please add information for the exit criteria of this issue and then assign the triaged label.