As per [JCOMOIDC-79] Add protocol message logging support to the AbstractOIDCMessageEncoder - Shibboleth Jira (atlassian.net) I will switch this over to OAUTH2.

Thanks, Brent. I added protocol logging support to the AbstractOIDCMessageEncoder which captures both HTTPPostAuthnResponseDecoder and HTTPRedirectAuthnResponseDecoder. Also added to the SimpleNimbusResponseEncoder.

I used OIDC as the protocol message logger subcategory for HTTPRedirectAuthnResponseDecoder and HTTPPostAuthnResponseDecoder. These specifically encode OIDC authentication requests. Although these are also OAuth authorization requests, maybe I should switch it to OAUTH2 to match the OP — esp. given the OP will be using the OAUTH2 category even when it is decoding OIDC authentication requests.

Updated the admin decoders to use “.ADMIN”.

Also updated the API so the decoder/encoder impls set the sub-category relative to the base category “PROTOCOL_MESSAGE”. Seems cleaner and ensures all logging is either to the latter or a more specific sub-category.

I think using ADMIN makes sense, yes.

Just committed all this, including the OIDC updates.

On the OIDC projects, there were some encoder and decode subclasses that did not currently implement protocol logging. The message types there are all Nimbus objects, and they don’t seem to implement a useful toString(). For those, to retain fidelity with the existing behaviour, I overrode the serialize method to return null, which will suppress the log output. I believe those are:

• HTTPPostAuthnResponseDecoder

• HTTPRedirectAuthnResponseDecoder

• AbstractOIDCMessageEncoder

• SimpleNimbusResponseEncoder

If we want meaningful protocol logs on those at some point, the serialize method would have to be implemented for each. I’ll punt those off to, as it gets into the guts of Nimbus stuff, with which I’m not familiar.

As an aside, in the issue description “.OIDC” was mentioned, but all the classes here which currently had protocol logging were doing “.OAUTH2”, so I preserved that. Just FYI.