I am reviewing spring authorization server as a possible library at work, and I am just learning to navigate the code base. I have found a lot of the stuff I was expecting to find, and the code base is navigable and understandable.
One thing I would expect from a security service like this would be auditing, somewhere where the user can see successful and failed logins, and potentially also which clients performed the login. I am not thinking about log4j logging, which exists, but something structured and user accessible. I would expect to find something like it around https://github.com/spring-projects/spring-authorization-server/blob/7c197164e95395ff71ec03c191ee0ab655affdf2/oauth2-authorization-server/src/main/java/org/springframework/security/oauth2/server/authorization/authentication/OAuth2AuthorizationCodeAuthenticationProvider.java#L294, with the whole method wrapped in a try-catch to catch the failure case(s).
Can't find it, and I also could not find a ticket in github for it. Me not finding it which might be because I don't understand how to look yet. Is there any?
If there isn't, do you feel this is something that should be in the library in the future as a configurable feature, potentially with an example jdbc implementation, like for users and clients?
See the following issues for background: #1369, #203, #217, #159
The short answer is that there is not currently an official auditing framework. However, Observability is a first-class feature in Spring (see blog post). Spring Authorization Server is built on Spring Security, which also has Observability support primarily for tracing information.
I would encourage you to explore existing features first, and if your use case is not covered, please feel free to open an issue with full supporting information on your use case.