Skip to content

Add audit logging for service impersonation events#49

Merged
dipesh-rumsan merged 4 commits intorc/internal-service-authfrom
copilot/sub-pr-48
Jan 30, 2026
Merged

Add audit logging for service impersonation events#49
dipesh-rumsan merged 4 commits intorc/internal-service-authfrom
copilot/sub-pr-48

Conversation

Copy link

Copilot AI commented Jan 30, 2026
edited
Loading

Service impersonation requests were not logged, creating a security audit gap. Services can act as users via X-Impersonate-Id header, but there was no persistent record of these actions.

Changes

  • Added Logger to HybridJwtGuard: Logs all impersonation attempts (success and failure) with service name, user UUID, and roles
  • Three failure cases tracked: service lacks impersonation permission, user not found, user role restrictions violated
  • Privacy-preserving: Logs user UUIDs only, not internal numeric IDs or PII (names, emails)

Example log output:

Service impersonation granted - SMS Bridge: user abc-123-def with roles USER,ADMIN
Service impersonation denied - Payment Gateway: user not found
Service impersonation denied - Notification Service: service not allowed to impersonate

Audit logs follow existing auth service patterns for consistency.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Jan 30, 2026
Open
Copilot AI and others added 3 commits January 30, 2026 08:03
@dipesh-rumsan
feat: add audit logging for service impersonation events
c65bb24 
Co-authored-by: dipesh-rumsan <203831631+dipesh-rumsan@users.noreply.github.com>
@dipesh-rumsan
refactor: reduce PII in audit logs and add logger documentation
d88b862 
Co-authored-by: dipesh-rumsan <203831631+dipesh-rumsan@users.noreply.github.com>
@dipesh-rumsan
refactor: simplify log format and remove sensitive ID exposure
cadd312 
Co-authored-by: dipesh-rumsan <203831631+dipesh-rumsan@users.noreply.github.com>
Copilot AI changed the title [WIP] Address feedback on service authentication with OAuth2 Add audit logging for service impersonation events Jan 30, 2026
Copilot AI requested a review from dipesh-rumsan January 30, 2026 08:08
@dipesh-rumsan dipesh-rumsan marked this pull request as ready for review January 30, 2026 08:09
@dipesh-rumsan dipesh-rumsan merged commit ea9d388 into rc/internal-service-auth Jan 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dipesh-rumsan dipesh-rumsan Awaiting requested review from dipesh-rumsan

Assignees

Copilot code review Copilot

@dipesh-rumsan dipesh-rumsan

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dipesh-rumsan