Since the OpenID claims likely contain personal data (PII), and may contain other security-sensitive information, they are not logged by default in the TIBCO Spotfire Server server.log. If TRACE logging is enabled prior to TIBCO Spotfire Server 10.9, Spotfire logs the names of available claims in OpenID Connect ID tokens and UserInfo endpoint responses.

Refer to KB 000041759 How to find the supported claims in Identity provider that can be used in TIBCO Spotfire Server OpenID Configuration to find the supported claims in Identity provider that can be used in TIBCO Spotfire Server OpenID configuration.

• If the property is set to true then all claims (including values) in ID tokens and UserInfo Endpoint responses will be logged (on INFO level).
• If the property is set to false then only the names of claims will be logged (on TRACE level), just like mentioned in KB 000041759 How to find the supported claims in Identity provider that can be used in TIBCO Spotfire Server OpenID Configuration .

1. Export current server configuration using  CLI command export-config 

   >config.bat export-config

2. Run the following command to enable logging of claims including values

   >config.bat set-config-prop --name=security.oidc.log-claim-values --value=true

3. Import configuration back to the database using import-config command.

   >config.bat import-config -c "Enabled logging of Claims values"

4. Restart the Spotfire Server Service.
    

• https://support.tibco.com/s/article/How-to-find-the-supported-claims-in-Identity-provider-that-can-be-used-in-TIBCO-Spotfire-Server-OpenID-Configuration

• https://docs.tibco.com/pub/spotfire_server/10.3.9/doc/html/TIB_sfire_server_tsas_admin_help/GUID-3188EF2A-E7BD-481C-822B-7579B69B0DB9.html

• https://docs.tibco.com/pub/spotfire_server/10.3.9/doc/html/TIB_sfire_server_tsas_admin_help/GUID-AD39E75E-9C03-41A1-A2F1-01363389A398.html