AuthN & AuthZ Insights

When debugging production issues, logs are your best friends. But in multi-threaded applications or systems handling multiple requests, logs can quickly become messy and hard to trace. This is where MDC (Mapped Diagnostic Context) and NDC (Nested Diagnostic Context) come in. 🔹 What is MDC? MDC (Mapped Diagnostic Context) allows you to store key-value pairs that are automatically added to your log entries. 👉 Example use case: Storing userId , transactionId , or requestId in MDC so every log line contains this contextual information. This makes tracing requests across distributed services much easier. Code Example (SLF4J with Logback): import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.slf4j.MDC; public class MDCExample { private static final Logger log = LoggerFactory.getLogger(MDCExample.class); public static void main(String[] args) { MDC.put("userId", "12345"); MDC.put("transactionId", "txn-987...

When integrating with Keycloak for OpenID Connect (OIDC) authentication, you might encounter code like: clientSessionCtx.getClientSession() .setNote( OIDCLoginProtocol.SCOPE_PARAM , " openid "); This small line plays a big role in deciding whether you get an ID Token (and identity claims) or just an Access Token . What is OIDCLoginProtocol.SCOPE_PARAM ? OIDCLoginProtocol.SCOPE_PARAM corresponds to the scope parameter in an OIDC authentication request. Scopes tell the Identity Provider (IdP) what kind of information and tokens the client is asking for. In OIDC, the "openid" scope is mandatory to receive an ID token. Case 1: Passing "openid" Flow When you set the scope to "openid" , Keycloak treats this as an OpenID Connect request: OIDC flow is triggered instead of pure OAuth 2.0 . Keycloak issues: ID Token ( JWT ) containing user identity claims. Access Token for API access. Optionally, a Refresh Token . ...

When a login attempt fails, the failedLogin() method is triggered to log the event. Let’s break it down step-by-step so even a fresher can understand: Method Overview public void failedLogin( RealmModel realm, UserModel user, ClientConnection clientConnection) { try { FailedLogin event = new FailedLogin(realm.getId(), user.getId(), clientConnection. getRemoteAddr ()); this.queue.offer(event); event.latch.await(5L, TimeUnit.SECONDS ); } catch ( InterruptedException var5) { // Interrupted while waiting } logger.trace("sent failure event"); } Step-by-Step Explanation: Trigger on Failed Login – Whenever a user enters the wrong credentials, this method is called. Create a Failed Login Event – The FailedLogin object stores details such as: realmId – The security domain in which the login failed. userId – The user who failed to log in. remoteAddress – The IP address from where the attempt was made. Add to...