Add additional debug logs to OIDC auth to make debugging easier

2017-04-07 11:48:53 -04:00 · 2017-04-07 11:48:53 -04:00 · 0c7bac26b7
commit 0c7bac26b7
parent 002972fc2f
1 changed files with 18 additions and 6 deletions
--- a/oauth/oidc.py
+++ b/oauth/oidc.py
@ -127,6 +127,8 @@ class OIDCLoginService(OAuthService):

    # Verify subs.
    if user_info['sub'] != decoded_id_token['sub']:
+      logger.debug('Mismatch in `sub` returned by OIDC user info endpoint: %s vs %s',
+                   user_info['sub'], decoded_id_token['sub'])
      raise OAuthLoginException('Mismatch in `sub` returned by OIDC user info endpoint')

    # Check if we have a verified email address.
@ -185,6 +187,8 @@ class OIDCLoginService(OAuthService):
    if kid is None:
      raise InvalidTokenError('Missing `kid` header')

+    logger.debug('Using key `%s`, attempting to decode token `%s` with aud `%s` and iss `%s`',
+                 kid, token, self.client_id(), self._issuer)
    try:
      return decode(token, self._get_public_key(kid), algorithms=ALLOWED_ALGORITHMS,
                    audience=self.client_id(),
@ -193,12 +197,20 @@ class OIDCLoginService(OAuthService):
                    options=dict(require_nbf=False))
    except InvalidTokenError:
      # Public key may have expired. Try to retrieve an updated public key and use it to decode.
+      try:
        return decode(token, self._get_public_key(kid, force_refresh=True),
                      algorithms=ALLOWED_ALGORITHMS,
                      audience=self.client_id(),
                      issuer=self._issuer,
                      leeway=JWT_CLOCK_SKEW_SECONDS,
                      options=dict(require_nbf=False))
+      except InvalidTokenError as ite:
+        # Decode again with verify=False, and log the decoded token to allow for easier debugging.
+        nonverified = decode(token, self._get_public_key(kid, force_refresh=True),
+                             algorithms=ALLOWED_ALGORITHMS,
+                             options=dict(require_nbf=False, verify=False))
+        logger.debug('Got an error when trying to verify OIDC JWT: %s', nonverified)
+        raise ite

  def _get_public_key(self, kid, force_refresh=False):
    """ Retrieves the public key for this handler with the given kid. Raises a