FEATURE: Option to enable verbose logging of authentication process

Author: davidtaylorhq

config/locales/server.en.yml

@@ -7,4 +7,5 @@ en:
  openid_connect_authorize_scope: "The scopes sent to the authorize endpoint. This must include 'openid'."
  openid_connect_token_scope: "The scopes sent when requesting the token endpoint. The official specification does not require this."
  openid_connect_error_redirects: "If the callback error_reason contains the first parameter, the user will be redirected to the URL in the second parameter"
- openid_connect_allow_association_change: "Allow users to disconnect and reconnect their Discourse accounts from the OpenID Connect provider"
+ openid_connect_allow_association_change: "Allow users to disconnect and reconnect their Discourse accounts from the OpenID Connect provider"
+ openid_connect_verbose_logging: "Log detailed openid-connect authentication information to `/logs`. Keep this disabled during normal use."

config/settings.yml

@@ -11,6 +11,8 @@ plugins:
  default: false
  openid_connect_authorize_scope:
  default: "openid"
+ openid_connect_verbose_logging:
+ default: false
  openid_connect_token_scope:
  default: ""
  openid_connect_error_redirects:

lib/omniauth_open_id_connect.rb

@@ -12,6 +12,7 @@ class OpenIDConnect < OmniAuth::Strategies::OAuth2
  option :use_userinfo, true
  option :cache, lambda { |key, &blk| blk.call } # Default no-op cache
  option :error_handler, lambda { |error, message| nil } # Default no-op handler
+ option :verbose_logger, lambda { |message| nil } # Default no-op handler
  option :passthrough_authorize_options, [:p]
  option :passthrough_token_options, [:p]
 
@@ -23,10 +24,16 @@ class OpenIDConnect < OmniAuth::Strategies::OAuth2
  userinfo_endpoint: nil,
  auth_scheme: :basic_auth
 
+ def verbose_log(message)
+ options.verbose_logger.call(message)
+ end
+
  def discover!
+ verbose_log("Fetching discovery document from #{options[:client_options][:discovery_document]}")
  discovery_document = options.cache.call("openid_discovery_#{options[:client_options][:discovery_document]}") do
  client.request(:get, options[:client_options][:discovery_document], parse: :json).parsed
  end
+ verbose_log("Discovery document loaded\n\n#{discovery_document.to_yaml}")
 
  discovery_params = {
  authorize_url: "authorization_endpoint",
@@ -80,6 +87,7 @@ def token_params
 
  def callback_phase
  if request.params["error"] && request.params["error_description"] && response = options.error_handler.call(request.params["error"], request.params["error_description"])
+ verbose_log("Error handled, redirecting\n\n#{response.to_yaml}")
  return redirect(response)
  end
 
@@ -106,7 +114,7 @@ def id_token_info
  # token was acquired via a direct server-server connection to the issuer
  @id_token_info ||= begin
  decoded = JWT.decode(access_token['id_token'], nil, false).first
-
+ verbose_log("Loaded JWT\n\n#{decoded.to_yaml}")
  JWT::Verify.verify_claims(decoded,
  verify_iss: true,
  iss: options[:client_options][:site],
@@ -118,13 +126,19 @@ def id_token_info
  verify_iat: true,
  verify_jti: false
  )
+ verbose_log("Verified JWT\n\n#{decoded.to_yaml}")
 
  decoded
  end
  end
 
  def userinfo_response
- @raw_info ||= access_token.get(options[:client_options][:userinfo_endpoint]).parsed
+ @raw_info ||= begin
+ info = access_token.get(options[:client_options][:userinfo_endpoint]).parsed
+ verbose_log("Fetched userinfo response\n\n#{info.to_yaml}")
+ info
+ end
+
  return fail!(:csrf_detected, CallbackError.new(:csrf_detected, "CSRF detected")) unless @raw_info['sub'] == id_token_info['sub']
  @raw_info
  end

plugin.rb

@@ -37,6 +37,10 @@ def register_middleware(omniauth)
  end
  nil
  },
+ verbose_logger: lambda { |message|
+ return unless SiteSetting.openid_connect_verbose_logging
+ Rails.logger.warn("OIDC Log: #{message}")
+ },
  setup: lambda { |env|
  opts = env['omniauth.strategy'].options
  opts.deep_merge!(