Log the error inforamtion when redeem auth code

Author: troydai

src/Microsoft.AspNetCore.Authentication.OpenIdConnect/LoggingExtensions.cs

@@ -37,7 +37,8 @@ internal static class LoggingExtensions
  private static Action<ILogger, string, Exception> _invalidLogoutQueryStringRedirectUrl;
  private static Action<ILogger, Exception> _nullOrEmptyAuthorizationResponseState;
  private static Action<ILogger, Exception> _unableToReadAuthorizationResponseState;
- private static Action<ILogger, string, string, string, Exception> _authorizationResponseError;
+ private static Action<ILogger, string, string, string, Exception> _responseError;
+ private static Action<ILogger, string, string, string, int, Exception> _responseErrorWithStatusCode;
  private static Action<ILogger, Exception> _exceptionProcessingMessage;
  private static Action<ILogger, Exception> _accessTokenNotAvailable;
  private static Action<ILogger, Exception> _retrievingClaims;
@@ -106,10 +107,14 @@ static LoggingExtensions()
  eventId: 11,
  logLevel: LogLevel.Debug,
  formatString: "Unable to read the message.State.");
- _authorizationResponseError = LoggerMessage.Define<string, string, string>(
+ _responseError = LoggerMessage.Define<string, string, string>(
  eventId: 12,
  logLevel: LogLevel.Error,
  formatString: "Message contains error: '{Error}', error_description: '{ErrorDescription}', error_uri: '{ErrorUri}'.");
+ _responseErrorWithStatusCode = LoggerMessage.Define<string, string, string, int>(
+ eventId: 49,
+ logLevel: LogLevel.Error,
+ formatString: "Message contains error: '{Error}', error_description: '{ErrorDescription}', error_uri: '{ErrorUri}', status code '{StatusCode}'.");
  _updatingConfiguration = LoggerMessage.Define(
  eventId: 13,
  logLevel: LogLevel.Debug,
@@ -380,9 +385,14 @@ public static void UnableToReadAuthorizationResponseState(this ILogger logger)
  _unableToReadAuthorizationResponseState(logger, null);
  }
 
- public static void AuthorizationResponseError(this ILogger logger, string error, string errorDescription, string errorUri)
+ public static void ResponseError(this ILogger logger, string error, string errorDescription, string errorUri)
+ {
+ _responseError(logger, error, errorDescription, errorUri, null);
+ }
+
+ public static void ResponseErrorWithStatusCode(this ILogger logger, string error, string errorDescription, string errorUri, int statusCode)
  {
- _authorizationResponseError(logger, error, errorDescription, errorUri, null);
+ _responseErrorWithStatusCode(logger, error, errorDescription, errorUri, statusCode, null);
  }
 
  public static void ExceptionProcessingMessage(this ILogger logger, Exception ex)

src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs

@@ -507,14 +507,7 @@ protected override async Task<AuthenticateResult> HandleRemoteAuthenticateAsync(
  // if any of the error fields are set, throw error null
  if (!string.IsNullOrEmpty(authorizationResponse.Error))
  {
- Logger.AuthorizationResponseError(
- authorizationResponse.Error,
- authorizationResponse.ErrorDescription ?? "ErrorDecription null",
- authorizationResponse.ErrorUri ?? "ErrorUri null");
-
- return AuthenticateResult.Fail(new OpenIdConnectProtocolException(
- string.Format(CultureInfo.InvariantCulture, Resources.MessageContainsError, authorizationResponse.Error,
- authorizationResponse.ErrorDescription ?? "ErrorDecription null", authorizationResponse.ErrorUri ?? "ErrorUri null")));
+ return AuthenticateResult.Fail(CreateOpenIdConnectProtocolException(authorizationResponse, response: null));
  }
 
  if (_configuration == null && Options.ConfigurationManager != null)
@@ -590,6 +583,7 @@ protected override async Task<AuthenticateResult> HandleRemoteAuthenticateAsync(
  {
  return result;
  }
+
  authorizationResponse = tokenResponseReceivedContext.ProtocolMessage;
  tokenEndpointResponse = tokenResponseReceivedContext.TokenEndpointResponse;
 
@@ -684,20 +678,50 @@ private void PopulateSessionProperties(OpenIdConnectMessage message, Authenticat
  }
 
  /// <summary>
- /// Redeems the authorization code for tokens at the token endpoint
+ /// Redeems the authorization code for tokens at the token endpoint.
  /// </summary>
  /// <param name="tokenEndpointRequest">The request that will be sent to the token endpoint and is available for customization.</param>
  /// <returns>OpenIdConnect message that has tokens inside it.</returns>
  protected virtual async Task<OpenIdConnectMessage> RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
  {
  Logger.RedeemingCodeForTokens();
+
  var requestMessage = new HttpRequestMessage(HttpMethod.Post, _configuration.TokenEndpoint);
  requestMessage.Content = new FormUrlEncodedContent(tokenEndpointRequest.Parameters);
+
  var responseMessage = await Backchannel.SendAsync(requestMessage);
- responseMessage.EnsureSuccessStatusCode();
- var tokenResonse = await responseMessage.Content.ReadAsStringAsync();
- var jsonTokenResponse = JObject.Parse(tokenResonse);
- return new OpenIdConnectMessage(jsonTokenResponse);
+
+ var contentMediaType = responseMessage.Content.Headers.ContentType?.MediaType;
+ if (string.IsNullOrEmpty(contentMediaType))
+ {
+ Logger.LogDebug($"Unexpected token response format. Status Code: {(int)responseMessage.StatusCode}. Content-Type header is missing.");
+ }
+ else if (!string.Equals(contentMediaType, "application/json", StringComparison.OrdinalIgnoreCase))
+ {
+ Logger.LogDebug($"Unexpected token response format. Status Code: {(int)responseMessage.StatusCode}. Content-Type {responseMessage.Content.Headers.ContentType}.");
+ }
+
+ // Error handling:
+ // 1. If the response body can't be parsed as json, throws.
+ // 2. If the response's status code is not in 2XX range, throw OpenIdConnectProtocolException. If the body is correct parsed, 
+ // pass the error information from body to the exception.
+ OpenIdConnectMessage message;
+ try
+ {
+ var responseContent = await responseMessage.Content.ReadAsStringAsync();
+ message = new OpenIdConnectMessage(responseContent);
+ }
+ catch (Exception ex)
+ {
+ throw new OpenIdConnectProtocolException($"Failed to parse token response body as JSON. Status Code: {(int)responseMessage.StatusCode}. Content-Type: {responseMessage.Content.Headers.ContentType}", ex);
+ }
+
+ if (!responseMessage.IsSuccessStatusCode)
+ {
+ throw CreateOpenIdConnectProtocolException(message, responseMessage);
+ }
+
+ return message;
  }
 
  /// <summary>
@@ -1016,7 +1040,10 @@ private async Task<AuthorizationCodeReceivedContext> RunAuthorizationCodeReceive
  return authorizationCodeReceivedContext;
  }
 
- private async Task<TokenResponseReceivedContext> RunTokenResponseReceivedEventAsync(OpenIdConnectMessage message, OpenIdConnectMessage tokenEndpointResponse, AuthenticationProperties properties)
+ private async Task<TokenResponseReceivedContext> RunTokenResponseReceivedEventAsync(
+ OpenIdConnectMessage message,
+ OpenIdConnectMessage tokenEndpointResponse,
+ AuthenticationProperties properties)
  {
  Logger.TokenResponseReceived();
  var eventContext = new TokenResponseReceivedContext(Context, Options, properties)
@@ -1157,5 +1184,27 @@ private string BuildRedirectUriIfRelative(string uri)
 
  return BuildRedirectUri(uri);
  }
+
+ private OpenIdConnectProtocolException CreateOpenIdConnectProtocolException(OpenIdConnectMessage message, HttpResponseMessage response)
+ {
+ var description = message.ErrorDescription ?? "error_description is null";
+ var errorUri = message.ErrorUri ?? "error_uri is null";
+
+ if (response != null)
+ {
+ Logger.ResponseErrorWithStatusCode(message.Error, description, errorUri, (int)response.StatusCode);
+ }
+ else
+ {
+ Logger.ResponseError(message.Error, description, errorUri);
+ }
+
+ return new OpenIdConnectProtocolException(string.Format(
+ CultureInfo.InvariantCulture,
+ Resources.MessageContainsError,
+ message.Error,
+ description,
+ errorUri));
+ }
  }
 }