Include invalid oidc token in the error message for debugging

data/users/__init__.py

@@ -26,7 +26,10 @@ def get_federated_service_name(authentication_type):
     return 'keystone'
 
   if authentication_type == 'OIDC':
-    return 'oidc'
+    return None
+
+  if authentication_type == 'Database':
+    return None
 
   raise Exception('Unknown auth type: %s' % authentication_type)
 

data/users/oidc.py

@@ -39,10 +39,10 @@ class OIDCInternalAuth(object):
     try:
       payload = self.login_service.decode_user_jwt(id_token)
     except InvalidTokenError as ite:
-      logger.exception('Got invalid token error on OIDC decode: %s', ite.message)
+      logger.exception('Got invalid token error on OIDC decode: %s. Token: %s', ite.message, id_token)
       return (None, 'Could not validate OIDC token')
     except PublicKeyLoadException as pke:
-      logger.exception('Could not load public key during OIDC decode: %s', pke.message)
+      logger.exception('Could not load public key during OIDC decode: %s. Token: %s', pke.message, id_token)
       return (None, 'Could not validate OIDC token')
 
     # Find the user ID.

endpoints/api/suconfig.py

@@ -217,9 +217,10 @@ class SuperUserConfig(ApiResource):
       # Write the configuration changes to the config override file.
       config_provider.save_config(config_object)
 
-      # If the authentication system is not the database, link the superuser account to the
+      # If the authentication system is federated, link the superuser account to the
       # the authentication system chosen.
-      if config_object.get('AUTHENTICATION_TYPE', 'Database') != 'Database':
+      service_name = get_federated_service_name(config_object['AUTHENTICATION_TYPE'])
+      if service_name is not None:
         current_user = get_authenticated_user()
         if current_user is None:
           abort(401)