vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add additional debug logs to OIDC auth to make debugging easier

Browse source
This commit is contained in:
Joseph Schorr 2017-04-07 11:48:53 -04:00
parent 002972fc2f
commit 0c7bac26b7
1 changed files with 18 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
oauth/oidc.py
View file

@ -127,6 +127,8 @@ class OIDCLoginService(OAuthService):
# Verify subs. # Verify subs.
if user_info['sub'] != decoded_id_token['sub']: if user_info['sub'] != decoded_id_token['sub']:
logger.debug('Mismatch in `sub` returned by OIDC user info endpoint: %s vs %s',
user_info['sub'], decoded_id_token['sub'])
raise OAuthLoginException('Mismatch in `sub` returned by OIDC user info endpoint') raise OAuthLoginException('Mismatch in `sub` returned by OIDC user info endpoint')
# Check if we have a verified email address. # Check if we have a verified email address.
@ -185,6 +187,8 @@ class OIDCLoginService(OAuthService):
if kid is None: if kid is None:
raise InvalidTokenError('Missing `kid` header') raise InvalidTokenError('Missing `kid` header')
logger.debug('Using key `%s`, attempting to decode token `%s` with aud `%s` and iss `%s`',
kid, token, self.client_id(), self._issuer)
try: try:
return decode(token, self._get_public_key(kid), algorithms=ALLOWED_ALGORITHMS, return decode(token, self._get_public_key(kid), algorithms=ALLOWED_ALGORITHMS,
audience=self.client_id(), audience=self.client_id(),
@ -193,12 +197,20 @@ class OIDCLoginService(OAuthService):
options=dict(require_nbf=False)) options=dict(require_nbf=False))
except InvalidTokenError: except InvalidTokenError:
# Public key may have expired. Try to retrieve an updated public key and use it to decode. # Public key may have expired. Try to retrieve an updated public key and use it to decode.
return decode(token, self._get_public_key(kid, force_refresh=True), try:
algorithms=ALLOWED_ALGORITHMS, return decode(token, self._get_public_key(kid, force_refresh=True),
audience=self.client_id(), algorithms=ALLOWED_ALGORITHMS,
issuer=self._issuer, audience=self.client_id(),
leeway=JWT_CLOCK_SKEW_SECONDS, issuer=self._issuer,
options=dict(require_nbf=False)) leeway=JWT_CLOCK_SKEW_SECONDS,
options=dict(require_nbf=False))
except InvalidTokenError as ite:
# Decode again with verify=False, and log the decoded token to allow for easier debugging.
nonverified = decode(token, self._get_public_key(kid, force_refresh=True),
algorithms=ALLOWED_ALGORITHMS,
options=dict(require_nbf=False, verify=False))
logger.debug('Got an error when trying to verify OIDC JWT: %s', nonverified)
raise ite
def _get_public_key(self, kid, force_refresh=False): def _get_public_key(self, kid, force_refresh=False):
""" Retrieves the public key for this handler with the given kid. Raises a """ Retrieves the public key for this handler with the given kid. Raises a