From f218805a2d92f0e7949c1300318a40062daf4d00 Mon Sep 17 00:00:00 2001
From: burnettk <burnettk@users.noreply.github.com>
Date: Sat, 2 Sep 2023 19:33:09 -0400
Subject: [PATCH] try to make invalid tokens easier to debug

---
 .../services/authentication_service.py                 | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
index 327035c0..a22bc4a7 100644
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -162,17 +162,27 @@ class AuthenticationService:
         overlapping_aud_values = [x for x in audience_array_in_token if x in valid_audience_values]
 
         if iss != cls.server_url():
+            current_app.logger.error(
+                f"TOKEN INVALID because ISS '{iss}' does not match server url '{cls.server_url()}'"
+            )
             valid = False
         # aud could be an array or a string
         elif len(overlapping_aud_values) < 1:
+            current_app.logger.error(
+                f"TOKEN INVALID because audience '{aud}' does not match client id '{cls.client_id()}'"
+            )
             valid = False
         elif azp and azp not in (
             cls.client_id(),
             "account",
         ):
+            current_app.logger.error(f"TOKEN INVALID because azp '{azp}' does not match client id '{cls.client_id()}'")
             valid = False
         # make sure issued at time is not in the future
         elif now + iat_clock_skew_leeway < iat:
+            current_app.logger.error(
+                f"TOKEN INVALID because iat '{iat}' is in the future relative to server now '{now}'"
+            )
             valid = False
 
         if valid and now > decoded_token["exp"]: