Updated to log the id token during token requests and logout error with the id token hint

Author: Shilen Patel

lib/Controller/LogoutController.php

@@ -144,13 +144,24 @@ public function __invoke(ServerRequest $request): Response
 
             return $this->resolveResponse($logoutRequest, $wasLogoutActionCalled);
         } catch (Exception $e) {
+            $requestMethod = strtoupper($request->getMethod());
+            $idTokenHintParam = '';
+            if ($requestMethod === 'GET') {
+                $idTokenHintParam = $request->getQueryParams()['id_token_hint'] ?? '';
+            } elseif ($requestMethod === 'POST') {
+                if (is_array($parsedBody = $request->getParsedBody())) {
+                    $idTokenHintParam = $parsedBody['id_token_hint'] ?? '';
+                }
+            }
+
             MetricLogger::getInstance()->logMetric(
                 'oidc',
                 'error',
                 [
                     'message' => $e->getMessage(),
                     'oidc' => [
                             'endpoint' => 'logout',
+                            'idTokenHint' => $idTokenHintParam
                         ]
 
                 ]

lib/Controller/OAuth2AccessTokenController.php

@@ -64,7 +64,6 @@ public function __invoke(ServerRequest $request): \Psr\Http\Message\ResponseInte
         try {
             return $this->authorizationServer->respondToAccessTokenRequest($request, new Response());
         } catch (Exception $e) {
-            // TODO log anything else?
             MetricLogger::getInstance()->logMetric(
                 'oidc',
                 'error',

lib/Controller/OpenIdConnectUserInfoController.php

@@ -128,7 +128,6 @@ public function __invoke(ServerRequest $request): Response
 
             return new JsonResponse($claims);
         } catch (Exception $e) {
-            // TODO log anything else?  Assume the token is passed through the authorization header?  OK to log that, or a prefix if there's no sensitive data there, or a hash of it?
             MetricLogger::getInstance()->logMetric(
                 'oidc',
                 'error',

lib/Server/Grants/AuthCodeGrant.php

@@ -481,9 +481,10 @@ public function respondToAccessTokenRequest(
             'token',
             [
                 'authCodeId' => $authCodePayload->auth_code_id,
+                'sub' => $authCodePayload->user_id,
+                'scopes' => $scopes,
                 'grantType' => $this->getIdentifier(),
                 'clientId' => $client->getIdentifier(),
-                'sub' => $authCodePayload->user_id
             ]
         );
 

lib/Server/ResponseTypes/IdTokenResponse.php

@@ -14,6 +14,7 @@
 
 namespace SimpleSAML\Module\oidc\Server\ResponseTypes;
 
+use CirrusIdentity\SSP\Utils\MetricLogger;
 use Exception;
 use League\OAuth2\Server\Entities\AccessTokenEntityInterface;
 use League\OAuth2\Server\Entities\ScopeEntityInterface;
@@ -102,6 +103,17 @@ protected function getExtraParams(AccessTokenEntityInterface $accessToken): arra
             $this->getSessionId()
         );
 
+        MetricLogger::getInstance()->logMetric(
+            'oidc',
+            'idToken',
+            [
+                'idTokenClaims' => array_keys($token->claims()->all()),
+                'sub' => $token->claims()->get("sub"),
+                'scopes' => $accessToken->getScopes(),
+                'clientId' => $accessToken->getClient()->getIdentifier()
+            ]
+        );
+
         return [
             'id_token' => $token->toString(),
         ];