From 1d246784dd189d73d1b47b44291b744ccdde8dc6 Mon Sep 17 00:00:00 2001
From: Evan Cordell <cordell.evan@gmail.com>
Date: Fri, 7 Jul 2017 13:07:00 -0400
Subject: [PATCH] Include invalid oidc token in the error message for debugging

---
 data/users/__init__.py    | 5 ++++-
 data/users/oidc.py        | 4 ++--
 endpoints/api/suconfig.py | 5 +++--
 3 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/data/users/__init__.py b/data/users/__init__.py
index 913823f91..ccc9e7f7e 100644
--- a/data/users/__init__.py
+++ b/data/users/__init__.py
@@ -26,7 +26,10 @@ def get_federated_service_name(authentication_type):
     return 'keystone'
 
   if authentication_type == 'OIDC':
-    return 'oidc'
+    return None
+
+  if authentication_type == 'Database':
+    return None
 
   raise Exception('Unknown auth type: %s' % authentication_type)
 
diff --git a/data/users/oidc.py b/data/users/oidc.py
index 53ab18b0b..5837a9e11 100644
--- a/data/users/oidc.py
+++ b/data/users/oidc.py
@@ -39,10 +39,10 @@ class OIDCInternalAuth(object):
     try:
       payload = self.login_service.decode_user_jwt(id_token)
     except InvalidTokenError as ite:
-      logger.exception('Got invalid token error on OIDC decode: %s', ite.message)
+      logger.exception('Got invalid token error on OIDC decode: %s. Token: %s', ite.message, id_token)
       return (None, 'Could not validate OIDC token')
     except PublicKeyLoadException as pke:
-      logger.exception('Could not load public key during OIDC decode: %s', pke.message)
+      logger.exception('Could not load public key during OIDC decode: %s. Token: %s', pke.message, id_token)
       return (None, 'Could not validate OIDC token')
 
     # Find the user ID.
diff --git a/endpoints/api/suconfig.py b/endpoints/api/suconfig.py
index dd90285bf..7221ac889 100644
--- a/endpoints/api/suconfig.py
+++ b/endpoints/api/suconfig.py
@@ -217,9 +217,10 @@ class SuperUserConfig(ApiResource):
       # Write the configuration changes to the config override file.
       config_provider.save_config(config_object)
 
-      # If the authentication system is not the database, link the superuser account to the
+      # If the authentication system is federated, link the superuser account to the
       # the authentication system chosen.
-      if config_object.get('AUTHENTICATION_TYPE', 'Database') != 'Database':
+      service_name = get_federated_service_name(config_object['AUTHENTICATION_TYPE'])
+      if service_name is not None:
         current_user = get_authenticated_user()
         if current_user is None:
           abort(401)