I have encountered an issue when creating tokens through the developer portal. It appears that the grant type used during token creation affects the username recorded in the apim_metrics.log.

oauth2 grant type

When using client_credentials, the access token call logs the userName as [email protected]

12:57:07,266 [-] [PassThroughMessageProcessor-36]  INFO ELKCounterMetric apimMetrics: apim:response, properties :{"apiName":"PizzaShackAPI","proxyResponseCode":200,"destination":"https://localhost:9443/am/sample/pizzashack/v1/api/","apiCreatorTenantDomain":"carbon.super","platform":"Other","apiMethod":"GET","apiVersion":"1.0.0","gatewayType":"SYNAPSE","apiCreator":"admin","responseCacheHit":false,"backendLatency":13,"correlationId":"6028f20c-6a89-4f0d-b2e8-35f5382a3d0c","requestMediationLatency":3,"keyType":"SANDBOX","apiId":"e58c3413-b545-4910-982d-cadb26f949dc","applicationName":"DefaultApplication","targetResponseCode":200,"requestTimestamp":"2025-03-26T12:57:07.247Z","applicationOwner":"test","userAgent":"PostmanRuntime","userName":"[email protected]","apiResourceTemplate":"/menu","regionId":"default","responseLatency":17,"responseMediationLatency":1,"userIp":"172.19.0.1","apiContext":"/pizzashack/1.0.0","applicationId":"d714ec4c-ea29-4d6b-a586-36bcdf9e1daa","apiType":"HTTP","properties":{"commonName":"N/A","responseContentType":"application/json","subtype":"DEFAULT","isEgress":false,"apiContext":"/pizzashack/1.0.0","responseSize":0,"userName":"[email protected]"}}

However, when using the password grant type to obtain an access token and then call the same API, the userName in the logs changes to a UUID format: [email protected]

12:59:19,166 [-] [PassThroughMessageProcessor-38]  INFO ELKCounterMetric apimMetrics: apim:response, properties :{"apiName":"PizzaShackAPI","proxyResponseCode":200,"destination":"https://localhost:9443/am/sample/pizzashack/v1/api/","apiCreatorTenantDomain":"carbon.super","platform":"Other","apiMethod":"GET","apiVersion":"1.0.0","gatewayType":"SYNAPSE","apiCreator":"admin","responseCacheHit":false,"backendLatency":8,"correlationId":"649a33b8-5c7a-41a9-8326-12186d094ac1","requestMediationLatency":3,"keyType":"SANDBOX","apiId":"e58c3413-b545-4910-982d-cadb26f949dc","applicationName":"DefaultApplication","targetResponseCode":200,"requestTimestamp":"2025-03-26T12:59:19.153Z","applicationOwner":"test","userAgent":"PostmanRuntime","userName":"[email protected]","apiResourceTemplate":"/menu","regionId":"default","responseLatency":12,"responseMediationLatency":1,"userIp":"172.19.0.1","apiContext":"/pizzashack/1.0.0","applicationId":"d714ec4c-ea29-4d6b-a586-36bcdf9e1daa","apiType":"HTTP","properties":{"commonName":"N/A","responseContentType":"application/json","subtype":"DEFAULT","isEgress":false,"apiContext":"/pizzashack/1.0.0","responseSize":0,"userName":"[email protected]"}}

This difference is causing issues with our ELK setup as we can't reliably track API usage by individual users when the password grant type is used.

I've inspected the contents of both access tokens and noticed that the sub claim is actually the same in both cases. This makes the difference in the logged userName even more puzzling.

password grant type

client_credentials

I did find a workaround in the Carbon Management Console under Service Providers -> Claim Configuration, where setting the Subject Claim URI to username seems to ensure that the logged userName is consistent. However, this would require manual configuration in the Carbon portal every time a token is created via the devportal, which is not a feasible workflow. Additionally, developers shouldn't typically have access to the Carbon Management Console.

Claim Configuration

Therefore, I have a couple of questions:

1. Is this difference in userName logging based on the grant_type an expected behavior in WSO2 API Manager?
2. If so, what is the underlying reason for this difference, especially when the sub claim remains the same?
3. What is the recommended approach to ensure consistent and meaningful userName logging in the apim_metrics.log regardless of the grant_type used, without requiring manual configurations in the Carbon Management Console?

Wso2 apim version: 4.4.0