mirror of
https://github.com/zitadel/zitadel.git
synced 2024-12-13 11:34:26 +00:00
fix(authz): add logging to access token verification errors (#6976)
* fix(authz): add logging to access token verification errors Related to #6949 * use logging fields --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
parent
115d944d38
commit
24b05dc88c
@ -7,6 +7,8 @@ import (
|
|||||||
"errors"
|
"errors"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
"github.com/zitadel/logging"
|
||||||
|
|
||||||
"github.com/zitadel/zitadel/internal/api/grpc"
|
"github.com/zitadel/zitadel/internal/api/grpc"
|
||||||
http_util "github.com/zitadel/zitadel/internal/api/http"
|
http_util "github.com/zitadel/zitadel/internal/api/http"
|
||||||
zitadel_errors "github.com/zitadel/zitadel/internal/errors"
|
zitadel_errors "github.com/zitadel/zitadel/internal/errors"
|
||||||
@ -107,6 +109,7 @@ func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID, orgDomain st
|
|||||||
return CtxData{}, err
|
return CtxData{}, err
|
||||||
}
|
}
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
logging.WithFields("org_id", orgID, "org_domain", orgDomain).WithError(err).Warn("authz: verify access token")
|
||||||
var sysTokenErr error
|
var sysTokenErr error
|
||||||
sysMemberships, userID, sysTokenErr = t.VerifySystemToken(ctx, tokenWOBearer, orgID)
|
sysMemberships, userID, sysTokenErr = t.VerifySystemToken(ctx, tokenWOBearer, orgID)
|
||||||
if sysTokenErr != nil || sysMemberships == nil {
|
if sysTokenErr != nil || sysMemberships == nil {
|
||||||
@ -130,7 +133,7 @@ func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID, orgDomain st
|
|||||||
if orgID == "" && orgDomain == "" {
|
if orgID == "" && orgDomain == "" {
|
||||||
orgID = resourceOwner
|
orgID = resourceOwner
|
||||||
}
|
}
|
||||||
// System API calls dont't have a resource owner
|
// System API calls don't have a resource owner
|
||||||
if orgID != "" {
|
if orgID != "" {
|
||||||
orgID, err = t.ExistsOrg(ctx, orgID, orgDomain)
|
orgID, err = t.ExistsOrg(ctx, orgID, orgDomain)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -263,9 +263,11 @@ func (repo *TokenVerifierRepo) getTokenIDAndSubject(ctx context.Context, accessT
|
|||||||
// let's try opaque first:
|
// let's try opaque first:
|
||||||
tokenIDSubject, err := repo.decryptAccessToken(accessToken)
|
tokenIDSubject, err := repo.decryptAccessToken(accessToken)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
logging.WithError(err).Warn("token verifier repo: decrypt access token")
|
||||||
// if decryption did not work, it might be a JWT
|
// if decryption did not work, it might be a JWT
|
||||||
accessTokenClaims, err := op.VerifyAccessToken[*oidc.AccessTokenClaims](ctx, accessToken, repo.jwtTokenVerifier(ctx))
|
accessTokenClaims, err := op.VerifyAccessToken[*oidc.AccessTokenClaims](ctx, accessToken, repo.jwtTokenVerifier(ctx))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
logging.WithError(err).Warn("token verifier repo: verify JWT access token")
|
||||||
return "", "", false
|
return "", "", false
|
||||||
}
|
}
|
||||||
return accessTokenClaims.JWTID, accessTokenClaims.Subject, true
|
return accessTokenClaims.JWTID, accessTokenClaims.Subject, true
|
||||||
|
Loading…
Reference in New Issue
Block a user