When touching some code, I noticed that authorization logging is currently done rather inconsistently across the call-sites and many cases do not log the request:
$ grep -R -A 3 'LOG.*Authorizing' src Should authorization logging be the concern of an authorizer implementation? For audit purposes I could imagine this also being part of a separate log that the authorizer maintains? Ben