Fact:

Access tokensare an alternative means of authentication and can be used instead of a user and password. Artifactory users can generate multiple Access tokens both “expirable & Non-expirable” each with a unique Token ID created for Auditing purposes.

Problem statement:

A user can have multiple access tokens – If one of my Access Token is compromised how do I know which token should I revoke:

When a user is trying to access a JFrog instance using Access Token, the current logging mechanism will log only the “username” in Artifactory request logs and not the Token ID.

For eg: Assume, I have an Access Token generated for an Admin user and I tried to download a file “test1.jar” from Artifactory.
Usernameadmin
Scopeapplied-permissions/admin
Audience*@*
Token ID3f58786e-xxxxxxxxxxxxxxxxxx-320dbcf3417f
Expires In0 (never expires)
Artifactory will only log the user name associated with the token in “artifactory-access.log” and "artifactory-request.log" and we do not know which token is used to download the test1.jar” from Artifactory.

“artifactory-access.log” and "artifactory-request.log" entries:artifactory-access.log:2022-10-21T08:01:00.443Z [76d0eea37f2986bb] [ACCEPTED DOWNLOAD] libs-snapshot-local:test1.jar for client : admin / xx.xx.xx.xx..
artifactory-request.log:2022-10-21T08:01:00.142Z|76d0eea37f2986bb|xx.xx.xx.xx.|admin|GET|/libs-snapshot-local/test1.jar|200|-1|38553858|3953|curl/7.79.1

How to enable logging to print the tokenID in the Router request log.

In order to enable the Token ID logging you need to update the below router logging config in the Artifactory system.yaml file.

Note: This change requires a restart of the Artifactory instance.

## Logging Settings
router:
logging:
request:
verbose: true
tokenIdLoggingEnabled: true

After enabling the Token ID logging. Artifactory will start printing the Token ID in “router-request.log” and you need to co-relate the “request.log” entities with the “router-request.log” to find out the actual Token ID.

Eg : Downloaded “test1.jar” from Artifactory. Please find the log entries below:Request.log:

artifactory-access.log:2022-10-21T08:10:49.443Z [70f0eef37f2870bb] [ACCEPTED DOWNLOAD] libs-snapshot-local:test1.jar for client : admin / xx.xx.xx.xx..
artifactory-request.log:2022-10-21T08:10:53.142Z|70f0eef37f2870bb|xx.xx.xx.xx.|admin|GET|/libs-snapshot-local/test1.jar|200|-1|38553858|3953|curl/7.79.1

router-request.log:

"request_Uber-Trace-Id":"70f0eef37f2870bb:6bcbd9ea033cfbf8:70f0eef37f2870bb:0"
"request_X-Jfrog-Auth-Token-Id":"3f58786e-xxxxxxxxxxxxxxxxxx-320dbcf3417f","time":"2022-10-21T08:10:54Z"}
Please note that there will be performance overhead if we enable this logger. You may refer toArtifactory system.yaml wikipage for more information: