Skip to content

Commit

Permalink
revertme: add logging
Browse files Browse the repository at this point in the history
  • Loading branch information
olevski committed Jan 25, 2024
1 parent a49881d commit 23edee2
Showing 1 changed file with 7 additions and 1 deletion.
8 changes: 7 additions & 1 deletion renku/ui/service/serializers/headers.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@
from marshmallow import Schema, ValidationError, fields, post_load, pre_load
from werkzeug.utils import secure_filename

from renku.ui.service.logger import service_log

JWT_TOKEN_SECRET = os.getenv("RENKU_JWT_TOKEN_SECRET", "bW9menZ3cnh6cWpkcHVuZ3F5aWJycmJn")


Expand Down Expand Up @@ -95,14 +97,18 @@ def decode_token(token):
@staticmethod
def decode_user(data):
"""Extract renku user from the Keycloak ID token which is a JWT."""
service_log.info(f"decoding token {data}")
try:
jwk = cast(jwt.PyJWKClient, current_app.config["KEYCLOAK_JWK_CLIENT"])
key = jwk.get_signing_key_from_jwt(data)
service_log.info(f"trying with key {key.key} and algo RS256")
decoded = jwt.decode(data, key=key.key, algorithms=["RS256"], audience="renku")
except jwt.PyJWTError:
except jwt.PyJWTError as e:
# NOTE: older tokens used to be signed with HS256 so use this as a backup if the validation with RS256
# above fails. We used to need HS256 because a step that is now removed was generating an ID token and
# signing it from data passed in individual header fields.
service_log.info(f"original error {e}")
service_log.info("trying with HS256")
decoded = jwt.decode(data, JWT_TOKEN_SECRET, algorithms=["HS256"], audience="renku")
return UserIdentityToken().load(decoded)

Expand Down

0 comments on commit 23edee2

Please sign in to comment.