sartography
/
spiff-arena
mirror of https://github.com/sartography/spiff-arena.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

try to make invalid tokens easier to debug

This commit is contained in:
burnettk 2023-09-02 19:33:09 -04:00
parent 98a4aa4b0c
commit f218805a2d
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
View File

@ -162,17 +162,27 @@ class AuthenticationService:
overlapping_aud_values = [x for x in audience_array_in_token if x in valid_audience_values] overlapping_aud_values = [x for x in audience_array_in_token if x in valid_audience_values]
if iss != cls.server_url(): if iss != cls.server_url():
current_app.logger.error(
f"TOKEN INVALID because ISS '{iss}' does not match server url '{cls.server_url()}'"
)
valid = False valid = False
# aud could be an array or a string # aud could be an array or a string
elif len(overlapping_aud_values) < 1: elif len(overlapping_aud_values) < 1:
current_app.logger.error(
f"TOKEN INVALID because audience '{aud}' does not match client id '{cls.client_id()}'"
)
valid = False valid = False
elif azp and azp not in ( elif azp and azp not in (
cls.client_id(), cls.client_id(),
"account", "account",
): ):
current_app.logger.error(f"TOKEN INVALID because azp '{azp}' does not match client id '{cls.client_id()}'")
valid = False valid = False
# make sure issued at time is not in the future # make sure issued at time is not in the future
elif now + iat_clock_skew_leeway < iat: elif now + iat_clock_skew_leeway < iat:
current_app.logger.error(
f"TOKEN INVALID because iat '{iat}' is in the future relative to server now '{now}'"
)
valid = False valid = False
if valid and now > decoded_token["exp"]: if valid and now > decoded_token["exp"]: