From 0c7bac26b7d3720d30bcefdaacbc45aedbee45c1 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 7 Apr 2017 11:48:53 -0400
Subject: [PATCH] Add additional debug logs to OIDC auth to make debugging
 easier

---
 oauth/oidc.py | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/oauth/oidc.py b/oauth/oidc.py
index 8d509317f..2e714a555 100644
--- a/oauth/oidc.py
+++ b/oauth/oidc.py
@@ -127,6 +127,8 @@ class OIDCLoginService(OAuthService):
 
     # Verify subs.
     if user_info['sub'] != decoded_id_token['sub']:
+      logger.debug('Mismatch in `sub` returned by OIDC user info endpoint: %s vs %s',
+                   user_info['sub'], decoded_id_token['sub'])
       raise OAuthLoginException('Mismatch in `sub` returned by OIDC user info endpoint')
 
     # Check if we have a verified email address.
@@ -185,6 +187,8 @@ class OIDCLoginService(OAuthService):
     if kid is None:
       raise InvalidTokenError('Missing `kid` header')
 
+    logger.debug('Using key `%s`, attempting to decode token `%s` with aud `%s` and iss `%s`',
+                 kid, token, self.client_id(), self._issuer)
     try:
       return decode(token, self._get_public_key(kid), algorithms=ALLOWED_ALGORITHMS,
                     audience=self.client_id(),
@@ -193,12 +197,20 @@ class OIDCLoginService(OAuthService):
                     options=dict(require_nbf=False))
     except InvalidTokenError:
       # Public key may have expired. Try to retrieve an updated public key and use it to decode.
-      return decode(token, self._get_public_key(kid, force_refresh=True),
-                    algorithms=ALLOWED_ALGORITHMS,
-                    audience=self.client_id(),
-                    issuer=self._issuer,
-                    leeway=JWT_CLOCK_SKEW_SECONDS,
-                    options=dict(require_nbf=False))
+      try:
+        return decode(token, self._get_public_key(kid, force_refresh=True),
+                      algorithms=ALLOWED_ALGORITHMS,
+                      audience=self.client_id(),
+                      issuer=self._issuer,
+                      leeway=JWT_CLOCK_SKEW_SECONDS,
+                      options=dict(require_nbf=False))
+      except InvalidTokenError as ite:
+        # Decode again with verify=False, and log the decoded token to allow for easier debugging.
+        nonverified = decode(token, self._get_public_key(kid, force_refresh=True),
+                             algorithms=ALLOWED_ALGORITHMS,
+                             options=dict(require_nbf=False, verify=False))
+        logger.debug('Got an error when trying to verify OIDC JWT: %s', nonverified)
+        raise ite
 
   def _get_public_key(self, kid, force_refresh=False):
     """ Retrieves the public key for this handler with the given kid. Raises a