revertme: add logging

renku/ui/service/serializers/headers.py

@@ -24,6 +24,8 @@
 from marshmallow import EXCLUDE, Schema, ValidationError, fields, post_load, pre_load
 from werkzeug.utils import secure_filename
 
+from renku.ui.service.logger import service_log
+
 JWT_TOKEN_SECRET = os.getenv("RENKU_JWT_TOKEN_SECRET", "bW9menZ3cnh6cWpkcHVuZ3F5aWJycmJn")
 
 
@@ -105,14 +107,18 @@ def decode_token(token):
     @staticmethod
     def decode_user(data):
         """Extract renku user from the Keycloak ID token which is a JWT."""
+        service_log.info(f"decoding token {data}")
         try:
             jwk = cast(jwt.PyJWKClient, current_app.config["KEYCLOAK_JWK_CLIENT"])
             key = jwk.get_signing_key_from_jwt(data)
+            service_log.info(f"trying with key {key.key} and algo RS256")
             decoded = jwt.decode(data, key=key.key, algorithms=["RS256"], audience="renku")
-        except jwt.PyJWTError:
+        except jwt.PyJWTError as e:
             # NOTE: older tokens used to be signed with HS256 so use this as a backup if the validation with RS256
             # above fails. We used to need HS256 because a step that is now removed was generating an ID token and
             # signing it from data passed in individual header fields.
+            service_log.info(f"original error {e}")
+            service_log.info("trying with HS256")
             decoded = jwt.decode(data, JWT_TOKEN_SECRET, algorithms=["HS256"], audience="renku")
         return UserIdentityToken().load(decoded)