[KEYCLOAK-5925] - Trace-level should log tokens without their signatures
This commit is contained in:
parent
36314c51d6
commit
792ffdf39b
2 changed files with 30 additions and 0 deletions
|
@ -23,6 +23,8 @@ import org.keycloak.adapters.spi.AuthChallenge;
|
||||||
import org.keycloak.adapters.spi.AuthOutcome;
|
import org.keycloak.adapters.spi.AuthOutcome;
|
||||||
import org.keycloak.adapters.spi.HttpFacade;
|
import org.keycloak.adapters.spi.HttpFacade;
|
||||||
import org.keycloak.common.VerificationException;
|
import org.keycloak.common.VerificationException;
|
||||||
|
import org.keycloak.jose.jws.JWSInput;
|
||||||
|
import org.keycloak.jose.jws.JWSInputException;
|
||||||
import org.keycloak.representations.AccessToken;
|
import org.keycloak.representations.AccessToken;
|
||||||
|
|
||||||
import javax.security.cert.X509Certificate;
|
import javax.security.cert.X509Certificate;
|
||||||
|
@ -83,6 +85,16 @@ public class BearerTokenRequestAuthenticator {
|
||||||
}
|
}
|
||||||
|
|
||||||
protected AuthOutcome authenticateToken(HttpFacade exchange, String tokenString) {
|
protected AuthOutcome authenticateToken(HttpFacade exchange, String tokenString) {
|
||||||
|
log.debug("Verifying access_token");
|
||||||
|
if (log.isTraceEnabled()) {
|
||||||
|
try {
|
||||||
|
JWSInput jwsInput = new JWSInput(tokenString);
|
||||||
|
String wireString = jwsInput.getWireString();
|
||||||
|
log.tracef("\taccess_token: %s", wireString.substring(0, wireString.lastIndexOf(".")) + ".signature");
|
||||||
|
} catch (JWSInputException e) {
|
||||||
|
log.errorf(e, "Failed to parse access_token: %s", tokenString);
|
||||||
|
}
|
||||||
|
}
|
||||||
try {
|
try {
|
||||||
token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment);
|
token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment);
|
||||||
} catch (VerificationException e) {
|
} catch (VerificationException e) {
|
||||||
|
@ -124,6 +136,7 @@ public class BearerTokenRequestAuthenticator {
|
||||||
}
|
}
|
||||||
surrogate = chain[0].getSubjectDN().getName();
|
surrogate = chain[0].getSubjectDN().getName();
|
||||||
}
|
}
|
||||||
|
log.debug("successful authorized");
|
||||||
return AuthOutcome.AUTHENTICATED;
|
return AuthOutcome.AUTHENTICATED;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -350,6 +350,14 @@ public class OAuthRequestAuthenticator {
|
||||||
tokenString = tokenResponse.getToken();
|
tokenString = tokenResponse.getToken();
|
||||||
refreshToken = tokenResponse.getRefreshToken();
|
refreshToken = tokenResponse.getRefreshToken();
|
||||||
idTokenString = tokenResponse.getIdToken();
|
idTokenString = tokenResponse.getIdToken();
|
||||||
|
|
||||||
|
log.debug("Verifying tokens");
|
||||||
|
if (log.isTraceEnabled()) {
|
||||||
|
logToken("\taccess_token", tokenString);
|
||||||
|
logToken("\tid_token", idTokenString);
|
||||||
|
logToken("\trefresh_token", refreshToken);
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment);
|
token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment);
|
||||||
if (idTokenString != null) {
|
if (idTokenString != null) {
|
||||||
|
@ -404,4 +412,13 @@ public class OAuthRequestAuthenticator {
|
||||||
return originalUri;
|
return originalUri;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void logToken(String name, String token) {
|
||||||
|
try {
|
||||||
|
JWSInput jwsInput = new JWSInput(token);
|
||||||
|
String wireString = jwsInput.getWireString();
|
||||||
|
log.tracef("\t%s: %s", name, wireString.substring(0, wireString.lastIndexOf(".")) + ".signature");
|
||||||
|
} catch (JWSInputException e) {
|
||||||
|
log.errorf(e, "Failed to parse %s: %s", name, token);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue