Make the OIDC error messages more verbose and include non-secret client-secrets.json

2026-04-05 03:38:12 +08:00 · 2016-12-05 11:40:00 +01:00
parent 8cb4e0de5d
commit 8b3244405f
3 changed files with 19 additions and 5 deletions
--- a/client_secrets.json
+++ b/client_secrets.json
@@ -0,0 +1,12 @@
+{
+    "web": {
+        "auth_uri": "https://id.stg.fedoraproject.org/openidc/Authorization",
+        "client_id": "mbs-authorizer",
+        "client_secret": "notsecret",
+        "redirect_uris": [
+            "http://localhost:13747/"
+        ],
+        "token_uri": "https://id.stg.fedoraproject.org/openidc/Token",
+        "token_introspection_uri": "https://id.stg.fedoraproject.org/openidc/TokenInfo"
+    }
+}
--- a/module_build_service/auth.py
+++ b/module_build_service/auth.py
@@ -80,12 +80,14 @@ def get_username(request):
    _load_secrets()

    if not "oidc_token" in request.cookies:
-        raise Unauthorized("Cannot verify OIDC token.")
+        raise Unauthorized("Cannot verify OIDC token: No 'oidc_token' "
+            "cookie found.")

    token = request.cookies["oidc_token"]
-    data = get_token_info(token)
-    if not data:
-        raise Unauthorized("Cannot verify OIDC token.")
+    try:
+        data = get_token_info(token)
+    except Exception as e:
+        raise Unauthorized("Cannot verify OIDC token: %s" % str(e))

    if not "active" in data or not data["active"]:
        raise Unauthorized("OIDC token invalid or expired.")
--- a/tests/test_views/test_views.py
+++ b/tests/test_views/test_views.py
@@ -261,7 +261,7 @@ class TestViews(unittest.TestCase):
        data = json.loads(rv.data)
        self.assertEquals(
            data['message'],
-            'Cannot verify OIDC token.'
+            "Cannot verify OIDC token: No 'oidc_token' cookie found."
        )
        self.assertEquals(data['status'], 401)
        self.assertEquals(data['error'], 'Unauthorized')