TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2024-12-13 03:24:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(authz): add logging to access token verification errors (#6976)

Browse Source 
* fix(authz): add logging to access token verification errors

Related to #6949

* use logging fields

---------

Co-authored-by: Livio Spring <livio.a@gmail.com>
This commit is contained in:
Tim Möhlmann 2023-11-27 17:35:08 +02:00 committed by GitHub
parent 115d944d38
commit 24b05dc88c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
internal/api/authz/context.go
View File

@ -7,6 +7,8 @@ import (
"errors" "errors"
"strings" "strings"
"github.com/zitadel/logging"
"github.com/zitadel/zitadel/internal/api/grpc" "github.com/zitadel/zitadel/internal/api/grpc"
http_util "github.com/zitadel/zitadel/internal/api/http" http_util "github.com/zitadel/zitadel/internal/api/http"
zitadel_errors "github.com/zitadel/zitadel/internal/errors" zitadel_errors "github.com/zitadel/zitadel/internal/errors"
@ -107,6 +109,7 @@ func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID, orgDomain st
return CtxData{}, err return CtxData{}, err
} }
if err != nil { if err != nil {
logging.WithFields("org_id", orgID, "org_domain", orgDomain).WithError(err).Warn("authz: verify access token")
var sysTokenErr error var sysTokenErr error
sysMemberships, userID, sysTokenErr = t.VerifySystemToken(ctx, tokenWOBearer, orgID) sysMemberships, userID, sysTokenErr = t.VerifySystemToken(ctx, tokenWOBearer, orgID)
if sysTokenErr != nil || sysMemberships == nil { if sysTokenErr != nil || sysMemberships == nil {
@ -130,7 +133,7 @@ func VerifyTokenAndCreateCtxData(ctx context.Context, token, orgID, orgDomain st
if orgID == "" && orgDomain == "" { if orgID == "" && orgDomain == "" {
orgID = resourceOwner orgID = resourceOwner
} }
// System API calls dont't have a resource owner // System API calls don't have a resource owner
if orgID != "" { if orgID != "" {
orgID, err = t.ExistsOrg(ctx, orgID, orgDomain) orgID, err = t.ExistsOrg(ctx, orgID, orgDomain)
if err != nil { if err != nil {

2
internal/authz/repository/eventsourcing/eventstore/token_verifier.go
View File

@ -263,9 +263,11 @@ func (repo *TokenVerifierRepo) getTokenIDAndSubject(ctx context.Context, accessT
// let's try opaque first: // let's try opaque first:
tokenIDSubject, err := repo.decryptAccessToken(accessToken) tokenIDSubject, err := repo.decryptAccessToken(accessToken)
if err != nil { if err != nil {
logging.WithError(err).Warn("token verifier repo: decrypt access token")
// if decryption did not work, it might be a JWT // if decryption did not work, it might be a JWT
accessTokenClaims, err := op.VerifyAccessToken[*oidc.AccessTokenClaims](ctx, accessToken, repo.jwtTokenVerifier(ctx)) accessTokenClaims, err := op.VerifyAccessToken[*oidc.AccessTokenClaims](ctx, accessToken, repo.jwtTokenVerifier(ctx))
if err != nil { if err != nil {
logging.WithError(err).Warn("token verifier repo: verify JWT access token")
return "", "", false return "", "", false
} }
return accessTokenClaims.JWTID, accessTokenClaims.Subject, true return accessTokenClaims.JWTID, accessTokenClaims.Subject, true