Auditing in OpenFGA System

[chahat-agarwal]

Is it possible to trace which user has added a new record in the OPENFGA system, and is there user management in place to audit this information back to its origin?

Additionally, we observed that the captured IP address does not correspond to the original IP address from which the system was accessed/triggered. eg: "peer.address": "127.0.0.1:42574" from Openfga logs

Any controllability on Logging format?

Is there any configuration to generate Audit logs or Application logs which are generated are the only source of truth?

[aaguiarz]

Hi @chahat-agarwal

Would adding those additional parameters (user/IP) to the Write() API, and have the values logged in the application logs solve this problem for you?

[chahat-agarwal]

Hey @aaguiarz,

Capturing the IP address via additional parameters could lead to potential manipulation. Instead, we should capture the IP address from the X-Forwarded-For header or directly from the request when it originates(even from OpenFGA playground). This will ensures accuracy and security.

For reference, you can check this documentation.

[aaguiarz]

Thanks @chahat-agarwal

How would you want to specify the user that actually performed the action?

[chahatagarwal]

Hey @aaguiarz, would capturing the IP address from which the request originated help us trace and audit for purposes.

[danielloader]

If you're doing OIDC and a backend calls it, you could propagate the token from the calling actor and take the sub (and potentially other) fields from the token.

Currently I'm doing a machine to machine client credentials flow as documented but a token passthrough option would potentially help here with the spoofing/accuracy of the information if you have a JWT secured application.