From 792ffdf39b1541f9720d2536ce38c2f384e62a5f Mon Sep 17 00:00:00 2001 From: pedroigor Date: Tue, 28 Nov 2017 09:54:57 -0200 Subject: [PATCH] [KEYCLOAK-5925] - Trace-level should log tokens without their signatures --- .../BearerTokenRequestAuthenticator.java | 13 +++++++++++++ .../adapters/OAuthRequestAuthenticator.java | 17 +++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java index fd4544f637..bb6840960b 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java @@ -23,6 +23,8 @@ import org.keycloak.adapters.spi.AuthChallenge; import org.keycloak.adapters.spi.AuthOutcome; import org.keycloak.adapters.spi.HttpFacade; import org.keycloak.common.VerificationException; +import org.keycloak.jose.jws.JWSInput; +import org.keycloak.jose.jws.JWSInputException; import org.keycloak.representations.AccessToken; import javax.security.cert.X509Certificate; @@ -83,6 +85,16 @@ public class BearerTokenRequestAuthenticator { } protected AuthOutcome authenticateToken(HttpFacade exchange, String tokenString) { + log.debug("Verifying access_token"); + if (log.isTraceEnabled()) { + try { + JWSInput jwsInput = new JWSInput(tokenString); + String wireString = jwsInput.getWireString(); + log.tracef("\taccess_token: %s", wireString.substring(0, wireString.lastIndexOf(".")) + ".signature"); + } catch (JWSInputException e) { + log.errorf(e, "Failed to parse access_token: %s", tokenString); + } + } try { token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment); } catch (VerificationException e) { @@ -124,6 +136,7 @@ public class BearerTokenRequestAuthenticator { } surrogate = chain[0].getSubjectDN().getName(); } + log.debug("successful authorized"); return AuthOutcome.AUTHENTICATED; } diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java index 6d7e6608b0..7b0ee80da8 100755 --- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java +++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java @@ -350,6 +350,14 @@ public class OAuthRequestAuthenticator { tokenString = tokenResponse.getToken(); refreshToken = tokenResponse.getRefreshToken(); idTokenString = tokenResponse.getIdToken(); + + log.debug("Verifying tokens"); + if (log.isTraceEnabled()) { + logToken("\taccess_token", tokenString); + logToken("\tid_token", idTokenString); + logToken("\trefresh_token", refreshToken); + } + try { token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment); if (idTokenString != null) { @@ -404,4 +412,13 @@ public class OAuthRequestAuthenticator { return originalUri; } + private void logToken(String name, String token) { + try { + JWSInput jwsInput = new JWSInput(token); + String wireString = jwsInput.getWireString(); + log.tracef("\t%s: %s", name, wireString.substring(0, wireString.lastIndexOf(".")) + ".signature"); + } catch (JWSInputException e) { + log.errorf(e, "Failed to parse %s: %s", name, token); + } + } }