Improve Logging of OIDC Token Event

app/forms/openid_connect_token_form.rb

@@ -22,6 +22,7 @@ class OpenidConnectTokenForm
                          in: [CLIENT_ASSERTION_TYPE],
                          if: :private_key_jwt?
 
+  validate :validate_expired
   validate :validate_code
   validate :validate_pkce_or_private_key_jwt
   validate :validate_code_verifier, if: :pkce?
@@ -31,6 +32,7 @@ def initialize(params)
     ATTRS.each do |key|
       instance_variable_set(:"@#{key}", params[key])
     end
+    @session_expiration = IdentityConfig.store.session_timeout_in_minutes.minutes.ago
     @identity = find_identity_with_code
   end
 
@@ -61,14 +63,12 @@ def url_options
 
   private
 
-  attr_reader :identity
+  attr_reader :identity, :session_expiration
 
   def find_identity_with_code
     return if code.blank? || code.include?("\x00")
 
-    session_expiration = IdentityConfig.store.session_timeout_in_minutes.minutes.ago
     @identity = ServiceProviderIdentity.where(session_uuid: code).
-                where('updated_at >= ?', session_expiration).
                 order(updated_at: :desc).first
   end
 
@@ -94,6 +94,12 @@ def validate_pkce_or_private_key_jwt
     errors.add :code, t('openid_connect.token.errors.invalid_authentication')
   end
 
+  def validate_expired
+    if identity&.updated_at && identity.updated_at < session_expiration
+      errors.add :code, t('openid_connect.token.errors.expired_code')
+    end
+  end
+
   def validate_code
     errors.add :code, t('openid_connect.token.errors.invalid_code') if identity.blank? ||
                                                                        !identity.user

config/initializers/ahoy.rb

@@ -6,6 +6,7 @@
 Ahoy.server_side_visits = false
 Ahoy.geocode = false
 Ahoy.user_agent_parser = :device_detector
+Ahoy.track_bots = true
 
 module Ahoy
   class Store < Ahoy::BaseStore

config/locales/openid_connect/en.yml

@@ -22,12 +22,12 @@ en:
         id_token_hint: id_token_hint was not recognized
     token:
       errors:
+        expired_code: is expired
         invalid_aud: Invalid audience claim, expected %{url}
         invalid_authentication: Client must authenticate via PKCE or private_key_jwt,
           missing either code_challenge or client_assertion
-        invalid_code: is invalid either because it expired, or it doesn’t match any
-          user. Please see our documentation at
-          https://developers.login.gov/oidc/#token
+        invalid_code: is invalid because doesn’t match any user. Please see our
+          documentation at https://developers.login.gov/oidc/#token
         invalid_code_verifier: code_verifier did not match code_challenge
         invalid_iat: iat must be an integer or floating point Unix timestamp
           representing a time in the past

config/locales/openid_connect/es.yml

@@ -22,12 +22,12 @@ es:
         id_token_hint: Id_token_hint no fue reconocido
     token:
       errors:
+        expired_code: ha expirado
         invalid_aud: Solicitud de audiencia no válida, esperada %{url}
         invalid_authentication: El cliente debe autenticarse a través de PKCE o
           private_key_jwt, faltando code_challenge o client_assertion
-        invalid_code: no es válido porque ha caducado o no coincide con ningún usuario.
-          Consulte nuestra documentación en
-          https://developers.login.gov/oidc/#token
+        invalid_code: no es válido porque no coincide con ningún usuario. Consulte
+          nuestra documentación en https://developers.login.gov/oidc/#token
         invalid_code_verifier: code_verifier no coincide con code_challenge
         invalid_iat: iat debe ser una marca de tiempo Unix de punto flotante o entero
           que represente un tiempo en el pasado

config/locales/openid_connect/fr.yml

@@ -22,12 +22,13 @@ fr:
         id_token_hint: id_token_hint n’a pas été reconnu
     token:
       errors:
+        expired_code: est expiré
         invalid_aud: Affirmation liée à l’auditoire non valide, attendu %{url}
         invalid_authentication: Le client doit s’authentifier par PKCE ou
           private_key_jwt, code_challenge ou client_assertion manquant
-        invalid_code: est non valide soit parce qu’il est périmé, soit parce qu’il ne
-          correspond à aucun utilisateur. Veuillez consulter notre documentation
-          à https://developers.login.gov/oidc/#token
+        invalid_code: n’est pas valide, car il ne correspond à aucun utilisateur.
+          Veuillez consulter notre documentation à
+          https://developers.login.gov/oidc/#token
         invalid_code_verifier: code_verifier ne correspondait pas à code_challenge
         invalid_iat: iat doit être un horodatage Unix entier ou à virgule flottante
           représentant une heure dans le passé

spec/forms/openid_connect_token_form_spec.rb

@@ -102,7 +102,7 @@
 
         it 'is invalid' do
           expect(valid?).to eq(false)
-          expect(form.errors[:code]).to include(t('openid_connect.token.errors.invalid_code'))
+          expect(form.errors[:code]).to eq([t('openid_connect.token.errors.expired_code')])
         end
       end