diff --git a/renku/ui/service/serializers/headers.py b/renku/ui/service/serializers/headers.py index ee8334416a..41cf152089 100644 --- a/renku/ui/service/serializers/headers.py +++ b/renku/ui/service/serializers/headers.py @@ -24,6 +24,8 @@ from marshmallow import EXCLUDE, Schema, ValidationError, fields, post_load, pre_load from werkzeug.utils import secure_filename +from renku.ui.service.logger import service_log + JWT_TOKEN_SECRET = os.getenv("RENKU_JWT_TOKEN_SECRET", "bW9menZ3cnh6cWpkcHVuZ3F5aWJycmJn") @@ -105,14 +107,18 @@ def decode_token(token): @staticmethod def decode_user(data): """Extract renku user from the Keycloak ID token which is a JWT.""" + service_log.info(f"decoding token {data}") try: jwk = cast(jwt.PyJWKClient, current_app.config["KEYCLOAK_JWK_CLIENT"]) key = jwk.get_signing_key_from_jwt(data) + service_log.info(f"trying with key {key.key} and algo RS256") decoded = jwt.decode(data, key=key.key, algorithms=["RS256"], audience="renku") - except jwt.PyJWTError: + except jwt.PyJWTError as e: # NOTE: older tokens used to be signed with HS256 so use this as a backup if the validation with RS256 # above fails. We used to need HS256 because a step that is now removed was generating an ID token and # signing it from data passed in individual header fields. + service_log.info(f"original error {e}") + service_log.info("trying with HS256") decoded = jwt.decode(data, JWT_TOKEN_SECRET, algorithms=["HS256"], audience="renku") return UserIdentityToken().load(decoded)