[KEYCLOAK-5925] - Trace-level should log tokens without their signatures

This commit is contained in:
pedroigor 2017-11-28 09:54:57 -02:00
parent 36314c51d6
commit 792ffdf39b
2 changed files with 30 additions and 0 deletions

View file

@ -23,6 +23,8 @@ import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome; import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.HttpFacade; import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.common.VerificationException; import org.keycloak.common.VerificationException;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.representations.AccessToken; import org.keycloak.representations.AccessToken;
import javax.security.cert.X509Certificate; import javax.security.cert.X509Certificate;
@ -83,6 +85,16 @@ public class BearerTokenRequestAuthenticator {
} }
protected AuthOutcome authenticateToken(HttpFacade exchange, String tokenString) { protected AuthOutcome authenticateToken(HttpFacade exchange, String tokenString) {
log.debug("Verifying access_token");
if (log.isTraceEnabled()) {
try {
JWSInput jwsInput = new JWSInput(tokenString);
String wireString = jwsInput.getWireString();
log.tracef("\taccess_token: %s", wireString.substring(0, wireString.lastIndexOf(".")) + ".signature");
} catch (JWSInputException e) {
log.errorf(e, "Failed to parse access_token: %s", tokenString);
}
}
try { try {
token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment); token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment);
} catch (VerificationException e) { } catch (VerificationException e) {
@ -124,6 +136,7 @@ public class BearerTokenRequestAuthenticator {
} }
surrogate = chain[0].getSubjectDN().getName(); surrogate = chain[0].getSubjectDN().getName();
} }
log.debug("successful authorized");
return AuthOutcome.AUTHENTICATED; return AuthOutcome.AUTHENTICATED;
} }

View file

@ -350,6 +350,14 @@ public class OAuthRequestAuthenticator {
tokenString = tokenResponse.getToken(); tokenString = tokenResponse.getToken();
refreshToken = tokenResponse.getRefreshToken(); refreshToken = tokenResponse.getRefreshToken();
idTokenString = tokenResponse.getIdToken(); idTokenString = tokenResponse.getIdToken();
log.debug("Verifying tokens");
if (log.isTraceEnabled()) {
logToken("\taccess_token", tokenString);
logToken("\tid_token", idTokenString);
logToken("\trefresh_token", refreshToken);
}
try { try {
token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment); token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment);
if (idTokenString != null) { if (idTokenString != null) {
@ -404,4 +412,13 @@ public class OAuthRequestAuthenticator {
return originalUri; return originalUri;
} }
private void logToken(String name, String token) {
try {
JWSInput jwsInput = new JWSInput(token);
String wireString = jwsInput.getWireString();
log.tracef("\t%s: %s", name, wireString.substring(0, wireString.lastIndexOf(".")) + ".signature");
} catch (JWSInputException e) {
log.errorf(e, "Failed to parse %s: %s", name, token);
}
}
} }