Skip to content

Commit cdeff65

Browse files
bendavis78bendavis78
committed
Log OIDC token endpoint errors
1 parent eb93f89 commit cdeff65

File tree

1 file changed

+44
-13
lines changed

1 file changed

+44
-13
lines changed

oidc_provider/lib/endpoints/token.py

Lines changed: 44 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -47,44 +47,71 @@ def _extract_params(self):
4747
self.params["password"] = self.request.POST.get("password", "")
4848

4949
def validate_params(self):
50+
log_extra = {
51+
"client_id": self.params["client_id"],
52+
"redirecT_uri": self.params["redirect_uri"],
53+
"grant_type": self.params["grant_type"],
54+
"scope": self.params["scope"],
55+
}
5056
try:
5157
self.client = Client.objects.get(client_id=self.params["client_id"])
5258
except Client.DoesNotExist:
53-
logger.debug("[Token] Client does not exist: %s", self.params["client_id"])
59+
logger.info(
60+
"[OIDC:Token] Client does not exist: %s",
61+
self.params["client_id"],
62+
extra=log_extra,
63+
)
5464
raise TokenError("invalid_client")
5565

5666
if self.client.client_type == "confidential":
5767
if not (self.client.client_secret == self.params["client_secret"]):
58-
logger.debug(
59-
"[Token] Invalid client secret: client %s do not have secret %s",
68+
logger.info(
69+
"[OIDC:Token] Invalid client secret: client %s do not have secret %s",
6070
self.client.client_id,
6171
self.client.client_secret,
72+
extra=log_extra,
6273
)
6374
raise TokenError("invalid_client")
6475

6576
if self.params["grant_type"] == "authorization_code":
6677
if self.params["redirect_uri"] not in self.client.redirect_uris:
67-
logger.debug("[Token] Invalid redirect uri: %s", self.params["redirect_uri"])
78+
logger.info(
79+
"[OIDC:Token] Invalid redirect uri: %s",
80+
self.params["redirect_uri"],
81+
extra=log_extra,
82+
)
6883
raise TokenError("invalid_client")
6984

7085
try:
7186
self.code = Code.objects.select_for_update(nowait=True).get(
7287
code=self.params["code"]
7388
)
7489
except DatabaseError:
75-
logger.debug("[Token] Code cannot be reused: %s", self.params["code"])
90+
logger.info(
91+
"[OIDC:Token] Code cannot be reused: %s",
92+
self.params["code"],
93+
extra=log_extra,
94+
)
7695
raise TokenError("invalid_grant")
7796
except Code.DoesNotExist:
78-
logger.debug("[Token] Code does not exist: %s", self.params["code"])
97+
logger.info(
98+
"[OIDC:Token] Code does not exist: %s",
99+
self.params["code"],
100+
extra=log_extra,
101+
)
79102
raise TokenError("invalid_grant")
80103

81104
if not (self.code.client == self.client) or self.code.has_expired():
82-
logger.debug("[Token] Invalid code: invalid client or code has expired")
105+
logger.info(
106+
"[OIDC:Token] Invalid code: invalid client or code has expired",
107+
extra=log_extra,
108+
)
83109
raise TokenError("invalid_grant")
84110

85111
# Validate PKCE parameters.
86112
if self.code.code_challenge:
87113
if self.params["code_verifier"] is None:
114+
logger.info("[OIDC:Token] Missing code_verifier", extra=log_extra)
88115
raise TokenError("invalid_grant")
89116

90117
if self.code.code_challenge_method == "S256":
@@ -100,6 +127,10 @@ def validate_params(self):
100127

101128
# TODO: We should explain the error.
102129
if not (new_code_challenge == self.code.code_challenge):
130+
logger.info(
131+
"[OIDC:Token] code verifier did not match code challenge",
132+
extra=log_extra,
133+
)
103134
raise TokenError("invalid_grant")
104135

105136
elif self.params["grant_type"] == "password":
@@ -123,7 +154,7 @@ def validate_params(self):
123154

124155
elif self.params["grant_type"] == "refresh_token":
125156
if not self.params["refresh_token"]:
126-
logger.debug("[Token] Missing refresh token")
157+
logger.info("[OIDC:Token] Missing refresh token")
127158
raise TokenError("invalid_grant")
128159

129160
try:
@@ -132,16 +163,16 @@ def validate_params(self):
132163
)
133164

134165
except Token.DoesNotExist:
135-
logger.debug(
136-
"[Token] Refresh token does not exist: %s", self.params["refresh_token"]
166+
logger.info(
167+
"[OIDC:Token] Refresh token does not exist: %s", self.params["refresh_token"]
137168
)
138169
raise TokenError("invalid_grant")
139170
elif self.params["grant_type"] == "client_credentials":
140171
if not self.client._scope:
141-
logger.debug("[Token] Client using client credentials with empty scope")
172+
logger.info("[OIDC:Token] Client using client credentials with empty scope")
142173
raise TokenError("invalid_scope")
143174
else:
144-
logger.debug("[Token] Invalid grant type: %s", self.params["grant_type"])
175+
logger.info("[OIDC:Token] Invalid grant type: %s", self.params["grant_type"])
145176
raise TokenError("unsupported_grant_type")
146177

147178
def validate_requested_scopes(self):
@@ -158,7 +189,7 @@ def validate_requested_scopes(self):
158189
token_scopes.append(scope_requested)
159190
else:
160191
logger.error(
161-
"[Token] The request scope %s is not supported by client %s",
192+
"[OIDC:Token] The request scope %s is not supported by client %s",
162193
scope_requested,
163194
self.client.client_id,
164195
)

0 commit comments

Comments
 (0)