Merge pull request #4753 from pedroigor/KEYCLOAK-5925

[KEYCLOAK-5925] - Trace-level should log tokens without signatures
2017-11-28 08:56:14 -05:00 · 2017-11-28 08:56:14 -05:00 · 33c38ceb8b
commit 33c38ceb8b
parent 36314c51d6 792ffdf39b
2 changed files with 30 additions and 0 deletions
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java
@ -23,6 +23,8 @@ import org.keycloak.adapters.spi.AuthChallenge;
 import org.keycloak.adapters.spi.AuthOutcome;
 import org.keycloak.adapters.spi.HttpFacade;
 import org.keycloak.common.VerificationException;
+import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
 import org.keycloak.representations.AccessToken;

 import javax.security.cert.X509Certificate;
@ -83,6 +85,16 @@ public class BearerTokenRequestAuthenticator {
    }
    
    protected AuthOutcome authenticateToken(HttpFacade exchange, String tokenString) {
+        log.debug("Verifying access_token");
+        if (log.isTraceEnabled()) {
+            try {
+                JWSInput jwsInput = new JWSInput(tokenString);
+                String wireString = jwsInput.getWireString();
+                log.tracef("\taccess_token: %s", wireString.substring(0, wireString.lastIndexOf(".")) + ".signature");
+            } catch (JWSInputException e) {
+                log.errorf(e, "Failed to parse access_token: %s", tokenString);
+            }
+        }
        try {
            token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment);
        } catch (VerificationException e) {
@ -124,6 +136,7 @@ public class BearerTokenRequestAuthenticator {
            }
            surrogate = chain[0].getSubjectDN().getName();
        }
+        log.debug("successful authorized");
        return AuthOutcome.AUTHENTICATED;
    }

--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
@ -350,6 +350,14 @@ public class OAuthRequestAuthenticator {
        tokenString = tokenResponse.getToken();
        refreshToken = tokenResponse.getRefreshToken();
        idTokenString = tokenResponse.getIdToken();
+
+        log.debug("Verifying tokens");
+        if (log.isTraceEnabled()) {
+            logToken("\taccess_token", tokenString);
+            logToken("\tid_token", idTokenString);
+            logToken("\trefresh_token", refreshToken);
+        }
+
        try {
            token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment);
            if (idTokenString != null) {
@ -404,4 +412,13 @@ public class OAuthRequestAuthenticator {
        return originalUri;
    }

+    private void logToken(String name, String token) {
+        try {
+            JWSInput jwsInput = new JWSInput(token);
+            String wireString = jwsInput.getWireString();
+            log.tracef("\t%s: %s", name, wireString.substring(0, wireString.lastIndexOf(".")) + ".signature");
+        } catch (JWSInputException e) {
+            log.errorf(e, "Failed to parse %s: %s", name, token);
+        }
+    }
 }