0

I have encountered an issue when creating tokens through the developer portal. It appears that the grant type used during token creation affects the username recorded in the apim_metrics.log.

oauth2 grant type

When using client_credentials, the access token call logs the userName as [email protected]

12:57:07,266 [-] [PassThroughMessageProcessor-36]  INFO ELKCounterMetric apimMetrics: apim:response, properties :{"apiName":"PizzaShackAPI","proxyResponseCode":200,"destination":"https://localhost:9443/am/sample/pizzashack/v1/api/","apiCreatorTenantDomain":"carbon.super","platform":"Other","apiMethod":"GET","apiVersion":"1.0.0","gatewayType":"SYNAPSE","apiCreator":"admin","responseCacheHit":false,"backendLatency":13,"correlationId":"6028f20c-6a89-4f0d-b2e8-35f5382a3d0c","requestMediationLatency":3,"keyType":"SANDBOX","apiId":"e58c3413-b545-4910-982d-cadb26f949dc","applicationName":"DefaultApplication","targetResponseCode":200,"requestTimestamp":"2025-03-26T12:57:07.247Z","applicationOwner":"test","userAgent":"PostmanRuntime","userName":"[email protected]","apiResourceTemplate":"/menu","regionId":"default","responseLatency":17,"responseMediationLatency":1,"userIp":"172.19.0.1","apiContext":"/pizzashack/1.0.0","applicationId":"d714ec4c-ea29-4d6b-a586-36bcdf9e1daa","apiType":"HTTP","properties":{"commonName":"N/A","responseContentType":"application/json","subtype":"DEFAULT","isEgress":false,"apiContext":"/pizzashack/1.0.0","responseSize":0,"userName":"[email protected]"}}

However, when using the password grant type to obtain an access token and then call the same API, the userName in the logs changes to a UUID format: [email protected]

12:59:19,166 [-] [PassThroughMessageProcessor-38]  INFO ELKCounterMetric apimMetrics: apim:response, properties :{"apiName":"PizzaShackAPI","proxyResponseCode":200,"destination":"https://localhost:9443/am/sample/pizzashack/v1/api/","apiCreatorTenantDomain":"carbon.super","platform":"Other","apiMethod":"GET","apiVersion":"1.0.0","gatewayType":"SYNAPSE","apiCreator":"admin","responseCacheHit":false,"backendLatency":8,"correlationId":"649a33b8-5c7a-41a9-8326-12186d094ac1","requestMediationLatency":3,"keyType":"SANDBOX","apiId":"e58c3413-b545-4910-982d-cadb26f949dc","applicationName":"DefaultApplication","targetResponseCode":200,"requestTimestamp":"2025-03-26T12:59:19.153Z","applicationOwner":"test","userAgent":"PostmanRuntime","userName":"[email protected]","apiResourceTemplate":"/menu","regionId":"default","responseLatency":12,"responseMediationLatency":1,"userIp":"172.19.0.1","apiContext":"/pizzashack/1.0.0","applicationId":"d714ec4c-ea29-4d6b-a586-36bcdf9e1daa","apiType":"HTTP","properties":{"commonName":"N/A","responseContentType":"application/json","subtype":"DEFAULT","isEgress":false,"apiContext":"/pizzashack/1.0.0","responseSize":0,"userName":"[email protected]"}}

This difference is causing issues with our ELK setup as we can't reliably track API usage by individual users when the password grant type is used.

I've inspected the contents of both access tokens and noticed that the sub claim is actually the same in both cases. This makes the difference in the logged userName even more puzzling.

password grant type

client_credentials

I did find a workaround in the Carbon Management Console under Service Providers -> Claim Configuration, where setting the Subject Claim URI to username seems to ensure that the logged userName is consistent. However, this would require manual configuration in the Carbon portal every time a token is created via the devportal, which is not a feasible workflow. Additionally, developers shouldn't typically have access to the Carbon Management Console.

Claim Configuration

Therefore, I have a couple of questions:

  1. Is this difference in userName logging based on the grant_type an expected behavior in WSO2 API Manager?
  2. If so, what is the underlying reason for this difference, especially when the sub claim remains the same?
  3. What is the recommended approach to ensure consistent and meaningful userName logging in the apim_metrics.log regardless of the grant_type used, without requiring manual configurations in the Carbon Management Console?

Wso2 apim version: 4.4.0

Improve this question
1
  • Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Commented Mar 26 at 23:06

1 Answer 1

Reset to default
0

The mentioned behaviour is the default behaviour in the WSO2 API Manager, as the validation flows of Client Credentials and Password grants are different. However, we can overcome this behaviour by adding the following configuration to the deployment.toml and restarting the server

[service_provider]
use_username_as_sub_claim = true

Please double check whether you have any existing configuration in the deployment.toml with [service_provider]. If yes, please append the above-mentioned configuration line (only use_username_as_sub_claim = true) to the same section.

This will update all existing and newly created Applications (Service Providers) from the DevPortal to use the username as the sub claim.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.