From 83e0934864cae396dc1ee6ffa25c2049adf9427f Mon Sep 17 00:00:00 2001
From: Andrew Keesler <akeesler@vmware.com>
Date: Fri, 4 Dec 2020 09:05:39 -0500
Subject: [PATCH] Add logging in dynamic OIDC ECDSA strategy

I'm worried that these errors are going to be really burried from the user, so
add some log statements to try to make them a tiny bit more observable.

Also follow some of our error message convetions by using lowercase error
messages.

Signed-off-by: Andrew Keesler <akeesler@vmware.com>
---
 .../dynamic_open_id_connect_ecdsa_strategy.go    | 16 +++++++++++++++-
 ...ynamic_open_id_connect_ecdsa_strategy_test.go |  2 +-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/internal/oidc/dynamic_open_id_connect_ecdsa_strategy.go b/internal/oidc/dynamic_open_id_connect_ecdsa_strategy.go
index 00261379..83472a0f 100644
--- a/internal/oidc/dynamic_open_id_connect_ecdsa_strategy.go
+++ b/internal/oidc/dynamic_open_id_connect_ecdsa_strategy.go
@@ -6,8 +6,10 @@ package oidc
 import (
 	"context"
 	"crypto/ecdsa"
+	"reflect"
 
 	"go.pinniped.dev/internal/constable"
+	"go.pinniped.dev/internal/plog"
 
 	"github.com/ory/fosite"
 	"github.com/ory/fosite/compose"
@@ -40,10 +42,22 @@ func (s *dynamicOpenIDConnectECDSAStrategy) GenerateIDToken(
 ) (string, error) {
 	_, activeJwk := s.jwksProvider.GetJWKS(s.fositeConfig.IDTokenIssuer)
 	if activeJwk == nil {
-		return "", constable.Error("No JWK found for issuer")
+		plog.Debug("no JWK found for issuer", "issuer", s.fositeConfig.IDTokenIssuer)
+		return "", constable.Error("no JWK found for issuer")
 	}
 	key, ok := activeJwk.Key.(*ecdsa.PrivateKey)
 	if !ok {
+		actualType := "nil"
+		if t := reflect.TypeOf(activeJwk.Key); t != nil {
+			actualType = t.String()
+		}
+		plog.Debug(
+			"JWK must be of type ecdsa",
+			"issuer",
+			s.fositeConfig.IDTokenIssuer,
+			"actualType",
+			actualType,
+		)
 		return "", constable.Error("JWK must be of type ecdsa")
 	}
 
diff --git a/internal/oidc/dynamic_open_id_connect_ecdsa_strategy_test.go b/internal/oidc/dynamic_open_id_connect_ecdsa_strategy_test.go
index a35bfa13..38cb35de 100644
--- a/internal/oidc/dynamic_open_id_connect_ecdsa_strategy_test.go
+++ b/internal/oidc/dynamic_open_id_connect_ecdsa_strategy_test.go
@@ -65,7 +65,7 @@ func TestDynamicOpenIDConnectECDSAStrategy(t *testing.T) {
 		{
 			name:      "jwks provider does not contain signing key for issuer",
 			issuer:    goodIssuer,
-			wantError: "No JWK found for issuer",
+			wantError: "no JWK found for issuer",
 		},
 		{
 			name:   "jwks provider contains signing key of wrong type for issuer",