From 23edee234fc64bac9c29972ee6a0fe78f0ff4b5c Mon Sep 17 00:00:00 2001 From: Tasko Olevski Date: Thu, 25 Jan 2024 18:11:39 +0100 Subject: [PATCH] revertme: add logging --- renku/ui/service/serializers/headers.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/renku/ui/service/serializers/headers.py b/renku/ui/service/serializers/headers.py index 42d82f397d..e32477f46e 100644 --- a/renku/ui/service/serializers/headers.py +++ b/renku/ui/service/serializers/headers.py @@ -24,6 +24,8 @@ from marshmallow import Schema, ValidationError, fields, post_load, pre_load from werkzeug.utils import secure_filename +from renku.ui.service.logger import service_log + JWT_TOKEN_SECRET = os.getenv("RENKU_JWT_TOKEN_SECRET", "bW9menZ3cnh6cWpkcHVuZ3F5aWJycmJn") @@ -95,14 +97,18 @@ def decode_token(token): @staticmethod def decode_user(data): """Extract renku user from the Keycloak ID token which is a JWT.""" + service_log.info(f"decoding token {data}") try: jwk = cast(jwt.PyJWKClient, current_app.config["KEYCLOAK_JWK_CLIENT"]) key = jwk.get_signing_key_from_jwt(data) + service_log.info(f"trying with key {key.key} and algo RS256") decoded = jwt.decode(data, key=key.key, algorithms=["RS256"], audience="renku") - except jwt.PyJWTError: + except jwt.PyJWTError as e: # NOTE: older tokens used to be signed with HS256 so use this as a backup if the validation with RS256 # above fails. We used to need HS256 because a step that is now removed was generating an ID token and # signing it from data passed in individual header fields. + service_log.info(f"original error {e}") + service_log.info("trying with HS256") decoded = jwt.decode(data, JWT_TOKEN_SECRET, algorithms=["HS256"], audience="renku") return UserIdentityToken().load(decoded)