Does ControllerActionInvoker need to use LogLevel.Warning when an authorize filter fails?

[tuespetre]

Just wondering because we get a lot of log pollution from this (filtering LogLevel.Information and lower out in production.) We can definitely filter out this specific message but, at least for us, LogLevel.Warning seems excessive for this message. For reference, we have a slew of applications using an internal OAuth provider with a short-lived token (to keep permissions up-to-date with minimal need to ask a user to clear cookies, etc.) Because most of our apps are authenticated-only (and automatically so), we get this message all the time.

I could see this being excessive for other scenarios as well:

• Users navigating to a 'my account details' page on a shopping site
• Users clicking 'send message to this user' or 'post reply' on a social/discussion site
• Users bookmarking a specific page that happens to require them to be logged in

[rynowak]

Yeah, given that our authentication system asks for forgiveness rather than for permission, this seems like it should be info. @HaoK @Eilon thoughts?

[Eilon]

Hmm I'm a bit conflicted on this. I think I do agree that Warning is too important a level for this. It's not "bad" and it's not an app programming error to go to a URL when you're not authenticated (or authenticated as the wrong user). It's just app logic and flow with regard to business requirements.

I think more serious things such as entering invalid username/password is a "warning" because that could more likely be something an admin would want to see in a report.

[HaoK]

Interesting, well the logging in Authorize itself already logs failures at info, so this would make us consistent. cc @blowdart for FYI

https://github.com/aspnet/Security/blob/dev/src/Microsoft.AspNetCore.Authorization/LoggingExtensions.cs#L19

[rynowak]

It's just app logic and flow with regard to business requirements.

This really seems appropriate for info or debug then

[Eilon]

Let's do Info.

[ajaybhargavb]

8de4ddc