Improve Logging of OIDC Token Event#5485
Conversation
mitchellhenke
force-pushed
the
mitchellhenke/ahoy-there
branch
from
3edb8e0 to
dcd9574
Compare
mitchellhenke
force-pushed
the
mitchellhenke/ahoy-there
branch
3 times, most recently
from
223622c to
8443045
Compare
There was a problem hiding this comment.
Can probably remove this @session_expiration assignment and just inline it in the expiration checking method?
There was a problem hiding this comment.
I was worried about changing the expiration to be dependent on the order of the validations. Though, if it's going to be an attribute, it probably makes sense to move it up into initialize?
There was a problem hiding this comment.
IMO it's not even worth saving as an attribute? It's fairly cheap to calculate, and the start of validation and the finish of validation are not more than a few ms apart I would guess
There was a problem hiding this comment.
I was close to adding it as a parameter with a default because it felt like something that could be more explicit and exposed to the caller, but I wasn't 100% sure.
mitchellhenke
force-pushed
the
mitchellhenke/ahoy-there
branch
from
8443045 to
ccd06d0
Compare
| invalid_code: is invalid either because it expired, or it doesn’t match any | ||
| user. Please see our documentation at | ||
| https://developers.login.gov/oidc/#token | ||
| invalid_code: is invalid because doesn’t match any user. Please see our |
There was a problem hiding this comment.
I have a translation request out for the separated error messages
There was a problem hiding this comment.
👍 just confirming we have a test later in the file that checks for invalid_code
zachmargolis
left a comment
zachmargolis
left a comment
There was a problem hiding this comment.
LGTM [pending translations]
mitchellhenke
force-pushed
the
mitchellhenke/ahoy-there
branch
from
88122d3 to
cdf4524
Compare
2 participants
The OIDC Token request is almost always server to server, but our event log tries to prevent bots from logging events. We should allow "bots" since they are able to make valid requests in some situations.
I've also split up some token validation logic in cases where the token is expired. This will give us slightly more insight when troubleshooting token request issues with partners because we have more specific errors, and will include the
service_providerin the metadata if we can find it, even if the token is invalid/expired.