Logging changes per Patrick

Shilen Patel · Shilen Patel · commit 01537cfc81b5 · 2024-11-20T18:39:36.000-05:00
diff --git a/lib/Controller/OAuth2AuthorizationController.php b/lib/Controller/OAuth2AuthorizationController.php
@@ -86,16 +86,20 @@ public function __invoke(ServerRequest $request): ResponseInterface
             return $this->authorizationServer->completeAuthorizationRequest($authorizationRequest, new Response());
         } catch (Exception $e) {
             if (!($e instanceof BadRequest)) {
+                $queryParams = $request->getQueryParams();
+                $scope = $queryParams['scope'];
                 MetricLogger::getInstance()->logMetric(
                     'oidc',
                     'error',
                     [
                         'message' => $e->getMessage(),
+                        'clientId' => $queryParams['client_id'],
+                        'scopes' => ($scope === null || $scope === "") ? [] : explode(" ", $scope),
                         'oidc' => [
                                 'endpoint' => 'authorize',
                             ]
                             // authorize endpoint doesn't contain secrets so okay to log all params
-                            + $request->getQueryParams()
+                            + $queryParams
                     ]
                 );
             }
diff --git a/lib/Server/AuthorizationServer.php b/lib/Server/AuthorizationServer.php
@@ -76,16 +76,20 @@ public function validateAuthorizationRequest(ServerRequestInterface $request): O
             $resultBag = $this->requestRulesManager->check($request, $rulesToExecute);
         } catch (OidcServerException $exception) {
             $reason = sprintf("%s %s", $exception->getMessage(), $exception->getHint() ?? '');
+            $queryParams = $request->getQueryParams();
+            $scope = $queryParams['scope'];
             MetricLogger::getInstance()->logMetric(
                 'oidc',
                 'error',
                 [
                     'message' => $reason,
+                    'clientId' => $queryParams['client_id'],
+                    'scopes' => ($scope === null || $scope === "") ? [] : explode(" ", $scope),
                     'oidc' => [
                             'endpoint' => 'authorize',
                         ]
                         // authorize endpoint doesn't contain secrets so okay to log all params
-                        + $request->getQueryParams()
+                        + $queryParams
 
                 ]
             );
diff --git a/lib/Server/Grants/AuthCodeGrant.php b/lib/Server/Grants/AuthCodeGrant.php
@@ -238,6 +238,7 @@ public function completeOidcAuthorizationRequest(
             'authorize',
             [
                 'authCodeId' => $authCode->getIdentifier(),
+                'sub' => $user->getIdentifier(),
                 'scopes' => $authCode->getScopes(),
                 'grantType' => $this->getIdentifier(),
                 'clientId' => $authCode->getClient()->getIdentifier()
@@ -481,6 +482,7 @@ public function respondToAccessTokenRequest(
             'token',
             [
                 'authCodeId' => $authCodePayload->auth_code_id,
+                'tokenId' => $accessToken->getIdentifier(),
                 'sub' => $authCodePayload->user_id,
                 'scopes' => $scopes,
                 'grantType' => $this->getIdentifier(),
diff --git a/lib/Server/Grants/ImplicitGrant.php b/lib/Server/Grants/ImplicitGrant.php
@@ -230,6 +230,8 @@ private function completeOidcAuthorizationRequest(AuthorizationRequest $authoriz
             'authorize',
             [
                 'idTokenClaims' => array_keys($idToken->claims()->all()),
+                'idTokenId' => $idToken->claims()->get("jti"),
+                'tokenId' => $accessToken->getIdentifier(),
                 'sub' => $idToken->claims()->get("sub"),
                 'scopes' => $finalizedScopes,
                 'grantType' => $this->getIdentifier(),
diff --git a/lib/Server/Grants/RefreshTokenGrant.php b/lib/Server/Grants/RefreshTokenGrant.php
@@ -10,6 +10,7 @@
 use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;
+use SimpleSAML\Module\oidc\Server\ResponseTypes\IdTokenResponse;
 
 class RefreshTokenGrant extends OAuth2RefreshTokenGrant
 {
@@ -62,6 +63,7 @@ public function respondToAccessTokenRequest(
             'token',
             [
                 'oldRefreshTokenPrefix' => substr($encryptedRefreshToken, 0, 20),
+                'tokenId' => $responseType instanceof IdTokenResponse ? $responseType->getTokenId() : null,
                 'grantType' => $this->getIdentifier(),
                 'clientId' => $client->getIdentifier()
             ]
diff --git a/lib/Server/ResponseTypes/IdTokenResponse.php b/lib/Server/ResponseTypes/IdTokenResponse.php
@@ -108,6 +108,7 @@ protected function getExtraParams(AccessTokenEntityInterface $accessToken): arra
             'idToken',
             [
                 'idTokenClaims' => array_keys($token->claims()->all()),
+                'idTokenId' => $token->claims()->get("jti"),
                 'sub' => $token->claims()->get("sub"),
                 'scopes' => $accessToken->getScopes(),
                 'clientId' => $accessToken->getClient()->getIdentifier()
@@ -187,4 +188,9 @@ public function setSessionId(?string $sessionId): void
     {
         $this->sessionId = $sessionId;
     }
+
+    public function getTokenId(): ?string
+    {
+        return $this->accessToken->getIdentifier();
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -86,16 +86,20 @@ public function __invoke(ServerRequest $request): ResponseInterface`
`86`	`86`	`return $this->authorizationServer->completeAuthorizationRequest($authorizationRequest, new Response());`
`87`	`87`	`} catch (Exception $e) {`
`88`	`88`	`if (!($e instanceof BadRequest)) {`
	`89`	`+ $queryParams = $request->getQueryParams();`
	`90`	`+ $scope = $queryParams['scope'];`
`89`	`91`	`MetricLogger::getInstance()->logMetric(`
`90`	`92`	`'oidc',`
`91`	`93`	`'error',`
`92`	`94`	`[`
`93`	`95`	`'message' => $e->getMessage(),`
	`96`	`+ 'clientId' => $queryParams['client_id'],`
	`97`	`+ 'scopes' => ($scope === null \|\| $scope === "") ? [] : explode(" ", $scope),`
`94`	`98`	`'oidc' => [`
`95`	`99`	`'endpoint' => 'authorize',`
`96`	`100`	`]`
`97`	`101`	`// authorize endpoint doesn't contain secrets so okay to log all params`
`98`		`- + $request->getQueryParams()`
	`102`	`+ + $queryParams`
`99`	`103`	`]`
`100`	`104`	`);`
`101`	`105`	`}`
Original file line number	Diff line number	Diff line change
`@@ -230,6 +230,8 @@ private function completeOidcAuthorizationRequest(AuthorizationRequest $authoriz`
`230`	`230`	`'authorize',`
`231`	`231`	`[`
`232`	`232`	`'idTokenClaims' => array_keys($idToken->claims()->all()),`
	`233`	`+ 'idTokenId' => $idToken->claims()->get("jti"),`
	`234`	`+ 'tokenId' => $accessToken->getIdentifier(),`
`233`	`235`	`'sub' => $idToken->claims()->get("sub"),`
`234`	`236`	`'scopes' => $finalizedScopes,`
`235`	`237`	`'grantType' => $this->getIdentifier(),`
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@`
`10`	`10`	`use League\OAuth2\Server\ResponseTypes\ResponseTypeInterface;`
`11`	`11`	`use Psr\Http\Message\ServerRequestInterface;`
`12`	`12`	`use SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException;`
	`13`	`+use SimpleSAML\Module\oidc\Server\ResponseTypes\IdTokenResponse;`
`13`	`14`
`14`	`15`	`class RefreshTokenGrant extends OAuth2RefreshTokenGrant`
`15`	`16`	`{`
`@@ -62,6 +63,7 @@ public function respondToAccessTokenRequest(`
`62`	`63`	`'token',`
`63`	`64`	`[`
`64`	`65`	`'oldRefreshTokenPrefix' => substr($encryptedRefreshToken, 0, 20),`
	`66`	`+ 'tokenId' => $responseType instanceof IdTokenResponse ? $responseType->getTokenId() : null,`
`65`	`67`	`'grantType' => $this->getIdentifier(),`
`66`	`68`	`'clientId' => $client->getIdentifier()`
`67`	`69`	`]`
Original file line number	Diff line number	Diff line change
`@@ -108,6 +108,7 @@ protected function getExtraParams(AccessTokenEntityInterface $accessToken): arra`
`108`	`108`	`'idToken',`
`109`	`109`	`[`
`110`	`110`	`'idTokenClaims' => array_keys($token->claims()->all()),`
	`111`	`+ 'idTokenId' => $token->claims()->get("jti"),`
`111`	`112`	`'sub' => $token->claims()->get("sub"),`
`112`	`113`	`'scopes' => $accessToken->getScopes(),`
`113`	`114`	`'clientId' => $accessToken->getClient()->getIdentifier()`
`@@ -187,4 +188,9 @@ public function setSessionId(?string $sessionId): void`
`187`	`188`	`{`
`188`	`189`	`$this->sessionId = $sessionId;`
`189`	`190`	`}`
	`191`	`+`
	`192`	`+ public function getTokenId(): ?string`
	`193`	`+ {`
	`194`	`+ return $this->accessToken->getIdentifier();`
	`195`	`+ }`
`190`	`196`	`}`