Improve logging in case of OIDC Identity provider errors:

- log the full Redirection URL, when it contains an error parameter, or does not contain the state or code parameter - log the token endpoint URL (without - possibly confidential - params) and the response body, when the token endpoint does not return a success response Closes #23690
2023-10-04 14:23:28 +02:00 · 2023-10-04 14:23:28 +02:00 · dd37e02140
commit dd37e02140
parent 7c6f173d3a
4 changed files with 55 additions and 20 deletions
--- a/server-spi-private/src/main/java/org/keycloak/broker/provider/util/SimpleHttp.java
+++ b/server-spi-private/src/main/java/org/keycloak/broker/provider/util/SimpleHttp.java
@ -248,6 +248,13 @@ public class SimpleHttp {
        }
    }

+    /**
+     * @return the URL without params
+     */
+    public String getUrl() {
+        return url;
+    }
+
    private Response makeRequest() throws IOException {

        HttpRequestBase httpRequest = createHttpRequest();
--- a/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
+++ b/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java
@ -479,7 +479,10 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
        public Response authResponse(@QueryParam(AbstractOAuth2IdentityProvider.OAUTH2_PARAMETER_STATE) String state,
                                     @QueryParam(AbstractOAuth2IdentityProvider.OAUTH2_PARAMETER_CODE) String authorizationCode,
                                     @QueryParam(OAuth2Constants.ERROR) String error) {
+            OAuth2IdentityProviderConfig providerConfig = provider.getConfig();
+            
            if (state == null) {
+                logErroneousRedirectUrlError("Redirection URL does not contain a state parameter", providerConfig);
                return errorIdentityProviderLogin(Messages.IDENTITY_PROVIDER_MISSING_STATE_ERROR);
            }

@ -487,10 +490,8 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
                AuthenticationSessionModel authSession = this.callback.getAndVerifyAuthenticationSession(state);
                session.getContext().setAuthenticationSession(authSession);

-                OAuth2IdentityProviderConfig providerConfig = provider.getConfig();
-
                if (error != null) {
-                    logger.error(error + " for broker login " + providerConfig.getProviderId());
+                    logErroneousRedirectUrlError("Redirection URL contains an error", providerConfig);
                    if (error.equals(ACCESS_DENIED)) {
                        return callback.cancelled(providerConfig);
                    } else if (error.equals(OAuthErrorException.LOGIN_REQUIRED) || error.equals(OAuthErrorException.INTERACTION_REQUIRED)) {
@ -500,8 +501,25 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
                    }
                }

-                if (authorizationCode != null) {
-                    String response = generateTokenRequest(authorizationCode).asString();
+                if (authorizationCode == null) {
+                    logErroneousRedirectUrlError("Redirection URL neither contains a code nor error parameter",
+                            providerConfig);
+                    return errorIdentityProviderLogin(Messages.IDENTITY_PROVIDER_MISSING_CODE_OR_ERROR_ERROR);
+                }
+
+                SimpleHttp simpleHttp = generateTokenRequest(authorizationCode);
+                String response;
+                try (SimpleHttp.Response simpleResponse = simpleHttp.asResponse()) {
+                    int status = simpleResponse.getStatus();
+                    boolean success = status >= 200 && status < 400;
+                    response = simpleResponse.asString();
+
+                    if (!success) {
+                        logger.errorf("Unexpected response from token endpoint %s. status=%s, response=%s",
+                                simpleHttp.getUrl(), status, response);
+                        return errorIdentityProviderLogin(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
+                    }
+                }

                BrokeredIdentityContext federatedIdentity = provider.getFederatedIdentity(response);

@ -516,7 +534,6 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
                federatedIdentity.setAuthenticationSession(authSession);

                return callback.authenticated(federatedIdentity);
-                }
            } catch (WebApplicationException e) {
                return e.getResponse();
            } catch (IdentityBrokerException e) {
@ -524,11 +541,19 @@ public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityPro
                    return errorIdentityProviderLogin(e.getMessageCode());
                }
                logger.error("Failed to make identity provider oauth callback", e);
+                return errorIdentityProviderLogin(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
            } catch (Exception e) {
                logger.error("Failed to make identity provider oauth callback", e);
-            }
                return errorIdentityProviderLogin(Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
            }
+        }
+
+        private void logErroneousRedirectUrlError(String mainMessage, OAuth2IdentityProviderConfig providerConfig) {
+            String providerId = providerConfig.getProviderId();
+            String redirectionUrl = session.getContext().getUri().getRequestUri().toString();
+
+            logger.errorf("%s. providerId=%s, redirectionUrl=%s", mainMessage, providerId, redirectionUrl);
+        }

        private Response errorIdentityProviderLogin(String message) {
            event.event(EventType.IDENTITY_PROVIDER_LOGIN);
--- a/services/src/main/java/org/keycloak/services/messages/Messages.java
+++ b/services/src/main/java/org/keycloak/services/messages/Messages.java
@ -185,6 +185,8 @@ public class Messages {

    public static final String IDENTITY_PROVIDER_MISSING_STATE_ERROR = "identityProviderMissingStateMessage";

+    public static final String IDENTITY_PROVIDER_MISSING_CODE_OR_ERROR_ERROR = "identityProviderMissingCodeOrErrorMessage";
+
    public static final String IDENTITY_PROVIDER_INVALID_RESPONSE = "identityProviderInvalidResponseMessage";

    public static final String IDENTITY_PROVIDER_INVALID_SIGNATURE = "identityProviderInvalidSignatureMessage";
--- a/themes/src/main/resources/theme/base/login/messages/messages_en.properties
+++ b/themes/src/main/resources/theme/base/login/messages/messages_en.properties
@ -343,6 +343,7 @@ cookieNotFoundMessage=Cookie not found. Please make sure cookies are enabled in
 insufficientLevelOfAuthentication=The requested level of authentication has not been satisfied.
 identityProviderUnexpectedErrorMessage=Unexpected error when authenticating with identity provider
 identityProviderMissingStateMessage=Missing state parameter in response from identity provider.
+identityProviderMissingCodeOrErrorMessage=Missing code or error parameter in response from identity provider.
 identityProviderInvalidResponseMessage=Invalid response from identity provider.
 identityProviderInvalidSignatureMessage=Invalid signature in response from identity provider.
 identityProviderNotFoundMessage=Could not find an identity provider with the identifier.