Add trace logging to help observe upstream OIDC refresh token revocation

2021-11-11 12:24:05 -08:00 · 2021-11-11 12:24:05 -08:00 · 48518e9513
commit 48518e9513
parent de79f15068
1 changed files with 5 additions and 0 deletions
--- a/internal/upstreamoidc/upstreamoidc.go
+++ b/internal/upstreamoidc/upstreamoidc.go
@ -140,6 +140,7 @@ func (p *ProviderConfig) PerformRefresh(ctx context.Context, refreshToken string
 // RevokeRefreshToken will attempt to revoke the given token, if the provider has a revocation endpoint.
 func (p *ProviderConfig) RevokeRefreshToken(ctx context.Context, refreshToken string) error {
 	if p.RevocationURL == nil {
+		plog.Trace("RevokeRefreshToken() was called but upstream provider has no available revocation endpoint", "providerName", p.Name)
 		return nil
 	}
 	// First try using client auth in the request params.
@ -199,9 +200,11 @@ func (p *ProviderConfig) tryRevokeRefreshToken(
 	switch resp.StatusCode {
 	case http.StatusOK:
 		// Success!
+		plog.Trace("RevokeRefreshToken() got 200 OK response from provider's revocation endpoint", "providerName", p.Name, "usedBasicAuth", useBasicAuth)
 		return false, nil
 	case http.StatusBadRequest:
 		// Bad request might be due to bad client auth method. Try to detect that.
+		plog.Trace("RevokeRefreshToken() got 400 Bad Request response from provider's revocation endpoint", "providerName", p.Name, "usedBasicAuth", useBasicAuth)
 		body, err := io.ReadAll(resp.Body)
 		if err != nil {
 			return false,
@ -224,9 +227,11 @@ func (p *ProviderConfig) tryRevokeRefreshToken(
 		}
 		// Got an "invalid_client" response, which might mean client auth failed, so it may be worth trying again
 		// using another client auth method. See https://datatracker.ietf.org/doc/html/rfc6749#section-5.2
+		plog.Trace("RevokeRefreshToken()'s 400 Bad Request response from provider's revocation endpoint was type 'invalid_client'", "providerName", p.Name, "usedBasicAuth", useBasicAuth)
 		return true, err
 	default:
 		// Any other error is probably not due to failed client auth.
+		plog.Trace("RevokeRefreshToken() got unexpected error response from provider's revocation endpoint", "providerName", p.Name, "usedBasicAuth", useBasicAuth, "statusCode", resp.StatusCode)
 		return false, fmt.Errorf("server responded with status %d", resp.StatusCode)
 	}
 }