Authorization Server Activity Feed and Audit API

Feature Request: Authorization Server Activity Feed and Audit API

Summary:
Provide an activity feed within the authorization server that records key user and access events (logins, logouts, failed logins, user creation, role assignments/changes, and access tag updates) and exposes this data via an API so it can be consumed by external security dashboards and monitoring tools in near real time.

Problem Statement:
Today, organizations lack a centralized, real-time view of how users are accessing systems through the authorization server. Critical events such as failed logins, role changes, and access tag modifications are not easily auditable or aggregated for security review. This makes it difficult to meet compliance requirements, quickly investigate incidents, and maintain a complete audit trail of access-related activity across systems.

Proposed Solution:
Implement an activity feed in the authorization server that captures and stores a timeline of key security and access events, including:

• Successful logins and logouts

• Failed login attempts

• User account creation

• Role assignments and role changes

• Access tag assignments and removals

Expose this activity feed via a secure, documented API so external systems (e.g., SIEMs, security dashboards, and audit tools) can:

• Query historical events with filters (e.g., by user, time range, event type, client/system)

• Consume events in near real time (e.g., via webhooks or streaming endpoint)

• Handle pagination and rate limits to support large volumes of data

Ensure the activity feed includes sufficient metadata (timestamps, actor, target user/resource, originating client/application, IP address where applicable) to support auditing and incident investigation. Apply appropriate security controls and permissions so only authorized administrative and security roles can access the feed and API.

Benefits:

• Enables real-time auditing of user and access activity across systems using the authorization server.

• Improves incident detection and response by providing a single, authoritative event stream for security teams.

• Supports regulatory and compliance requirements for access logging and traceability.

• Reduces manual effort needed to correlate events from multiple systems by centralizing access-related activity.

• Increases confidence in the authorization server as a secure, auditable component within the organization’s security architecture.