Log email, IP only in debug mode

pkg/keycloak/proxy/handlers.go

@@ -611,10 +611,12 @@ func loginHandler(
 
 		if err != nil {
 			clientIP := utils.RealIP(req)
-			scope.Logger.Error(err.Error(),
+			scope.Logger.Debug(
+				"login from",
 				zap.String("client_ip", clientIP),
 				zap.String("remote_addr", req.RemoteAddr),
 			)
+			scope.Logger.Error(err.Error())
 			writer.WriteHeader(code)
 		}
 	}
@@ -812,7 +814,7 @@ func logoutHandler(
 			case http.StatusOK:
 				scope.Logger.Info(
 					"successfully logged out of the endpoint",
-					zap.String("email", user.Email),
+					zap.String("userID", user.ID),
 				)
 			default:
 				content, _ := io.ReadAll(response.Body)

pkg/proxy/middleware/base.go

@@ -103,25 +103,24 @@ func LoggingMiddleware(
 				return
 			}
 
+			addr := utils.RealIP(req)
 			if verbose {
 				requestLogger := logger.With(
 					zap.Any("headers", req.Header),
 					zap.String("path", req.URL.Path),
 					zap.String("method", req.Method),
+					zap.String("client_ip", addr),
 				)
 				scope.Logger = requestLogger
 			}
 
 			next.ServeHTTP(resp, req)
 
-			addr := utils.RealIP(req)
-
 			if req.URL.Path == req.URL.RawPath || req.URL.RawPath == "" {
 				scope.Logger.Info("client request",
 					zap.Duration("latency", time.Since(start)),
 					zap.Int("status", resp.Status()),
 					zap.Int("bytes", resp.BytesWritten()),
-					zap.String("client_ip", addr),
 					zap.String("remote_addr", req.RemoteAddr),
 					zap.String("method", req.Method),
 					zap.String("path", req.URL.Path))
@@ -130,7 +129,6 @@ func LoggingMiddleware(
 					zap.Duration("latency", time.Since(start)),
 					zap.Int("status", resp.Status()),
 					zap.Int("bytes", resp.BytesWritten()),
-					zap.String("client_ip", addr),
 					zap.String("remote_addr", req.RemoteAddr),
 					zap.String("method", req.Method),
 					zap.String("path", req.URL.Path),

pkg/proxy/middleware/oauth.go

@@ -57,7 +57,6 @@ func AuthenticationMiddleware(
 				return
 			}
 
-			clientIP := utils.RealIP(req)
 			scope.Logger.Debug("authentication middleware")
 
 			// grab the user identity from the request
@@ -71,9 +70,7 @@ func AuthenticationMiddleware(
 			scope.Identity = user
 			ctx := context.WithValue(req.Context(), constant.ContextScopeName, scope)
 			lLog := scope.Logger.With(
-				zap.String("client_ip", clientIP),
 				zap.String("remote_addr", req.RemoteAddr),
-				zap.String("username", user.Name),
 				zap.String("sub", user.ID),
 				zap.String("expired_on", user.ExpiresAt.String()),
 			)

pkg/proxy/middleware/security.go

@@ -127,7 +127,7 @@ func AdmissionMiddleware(
 			user := scope.Identity
 			lLog := scope.Logger.With(
 				zap.String("access", "denied"),
-				zap.String("email", user.Email),
+				zap.String("userID", user.ID),
 				zap.String("resource", resource.URL),
 			)
 

pkg/testsuite/middleware_test.go

@@ -2515,6 +2515,7 @@ func TestLogRealIP(t *testing.T) {
 
 	cfg := newFakeKeycloakConfig()
 	cfg.EnableLogging = true
+	cfg.Verbose = true
 
 	var buffer bytes.Buffer
 	writer := bufio.NewWriter(&buffer)

pkg/utils/token.go

@@ -179,7 +179,7 @@ func CheckClaim(
 	errFields := []zapcore.Field{
 		zap.String("claim", claimName),
 		zap.String("access", "denied"),
-		zap.String("email", user.Email),
+		zap.String("userID", user.ID),
 		zap.String("resource", resourceURL),
 	}
 
@@ -236,6 +236,10 @@ func CheckClaim(
 
 		lLog.Warn(
 			"claim requirement does not match claim in token",
+		)
+
+		lLog.Debug(
+			"claims",
 			zap.String("issued", claims),
 			zap.String("required", match.String()),
 		)