Separate OpenID Connect Authorization Request and Handoff Logging

app/controllers/openid_connect/authorization_controller.rb

@@ -30,15 +30,12 @@ def index
       link_identity_to_service_provider
 
       result = @authorize_form.submit
-      # track successful forms, see pre_validate_authorize_form for unsuccessful
-      # this needs to be after link_identity_to_service_provider so that "code" is present
 
-      referer = request.referer
       if auth_count == 1 && first_visit_for_sp?
-        track_authorize_analytics(result, user_sp_authorized: false, referer: referer)
+        track_handoff_analytics(result, user_sp_authorized: false)
         return redirect_to(user_authorization_confirmation_url)
       end
-      track_authorize_analytics(result, user_sp_authorized: true, referer: referer)
+      track_handoff_analytics(result, user_sp_authorized: true)
       handle_successful_handoff
     end
 
@@ -79,11 +76,12 @@ def handle_successful_handoff
       delete_branded_experience
     end
 
-    def track_authorize_analytics(result, extra = {})
-      extra[:user_fully_authenticated] = user_fully_authenticated?
-      analytics_attributes = result.to_h.except(:redirect_uri).merge(extra)
-
-      analytics.openid_connect_request_authorization(**analytics_attributes)
+    def track_handoff_analytics(result, attributes = {})
+      analytics.openid_connect_authorization_handoff(
+        **attributes.merge(result.to_h.slice(:client_id, :code_digest)).merge(
+          success: result.success?,
+        ),
+      )
     end
 
     def identity_needs_verification?
@@ -111,11 +109,14 @@ def authorization_params
 
     def pre_validate_authorize_form
       result = @authorize_form.submit
+      analytics.openid_connect_request_authorization(
+        **result.to_h.except(:redirect_uri, :code_digest).merge(
+          user_fully_authenticated: user_fully_authenticated?,
+          referer: request.referer,
+        ),
+      )
       return if result.success?
 
-      # track forms with errors
-      track_authorize_analytics(result, referer: request.referer)
-
       if (redirect_uri = result.extra[:redirect_uri])
         redirect_to redirect_uri, allow_other_host: true
       else

app/services/analytics_events.rb

@@ -2826,6 +2826,22 @@ def oidc_logout_visited(
     )
   end
 
+  # Tracks when a sucessful openid authorization request is returned
+  # @param [String] client_id
+  # @param [String] code_digest hash of returned "code" param
+  def openid_connect_authorization_handoff(
+    client_id:,
+    code_digest:,
+    **extra
+  )
+    track_event(
+      'OpenID Connect: authorization request handoff',
+      client_id: client_id,
+      code_digest: code_digest,
+      **extra,
+    )
+  end
+
   # Tracks when an openid connect bearer token authentication request is made
   # @param [Boolean] success
   # @param [Integer] ial
@@ -2848,14 +2864,12 @@ def openid_connect_bearer_token(success:, ial:, client_id:, errors:, **extra)
   # @param [Array] acr_values
   # @param [Boolean] unauthorized_scope
   # @param [Boolean] user_fully_authenticated
-  # @param [String] code_digest hash of returned "code" param
   def openid_connect_request_authorization(
     client_id:,
     scope:,
     acr_values:,
     unauthorized_scope:,
     user_fully_authenticated:,
-    code_digest:,
     **extra
   )
     track_event(
@@ -2865,7 +2879,6 @@ def openid_connect_request_authorization(
       acr_values: acr_values,
       unauthorized_scope: unauthorized_scope,
       user_fully_authenticated: user_fully_authenticated,
-      code_digest: code_digest,
       **extra,
     )
   end

spec/controllers/openid_connect/authorization_controller_spec.rb

@@ -55,13 +55,17 @@
                  client_id: client_id,
                  prompt: 'select_account',
                  referer: nil,
-                 user_sp_authorized: true,
                  allow_prompt_login: true,
                  errors: {},
                  unauthorized_scope: true,
                  user_fully_authenticated: true,
                  acr_values: 'http://idmanagement.gov/ns/assurance/ial/1',
-                 scope: 'openid',
+                 scope: 'openid')
+          expect(@analytics).to receive(:track_event).
+            with('OpenID Connect: authorization request handoff',
+                 success: true,
+                 client_id: client_id,
+                 user_sp_authorized: true,
                  code_digest: kind_of(String))
           expect(@analytics).to receive(:track_event).
             with(
@@ -119,13 +123,17 @@
                      client_id: client_id,
                      prompt: 'select_account',
                      referer: nil,
-                     user_sp_authorized: true,
                      allow_prompt_login: true,
                      errors: {},
                      unauthorized_scope: false,
                      user_fully_authenticated: true,
                      acr_values: 'http://idmanagement.gov/ns/assurance/ial/2',
-                     scope: 'openid profile',
+                     scope: 'openid profile')
+              expect(@analytics).to receive(:track_event).
+                with('OpenID Connect: authorization request handoff',
+                     success: true,
+                     client_id: client_id,
+                     user_sp_authorized: true,
                      code_digest: kind_of(String))
               expect(@analytics).to receive(:track_event).
                 with(
@@ -277,13 +285,17 @@
                        client_id: client_id,
                        prompt: 'select_account',
                        referer: nil,
-                       user_sp_authorized: true,
                        allow_prompt_login: true,
                        errors: {},
                        unauthorized_scope: false,
                        user_fully_authenticated: true,
                        acr_values: 'http://idmanagement.gov/ns/assurance/ial/0',
-                       scope: 'openid profile',
+                       scope: 'openid profile')
+                expect(@analytics).to receive(:track_event).
+                  with('OpenID Connect: authorization request handoff',
+                       success: true,
+                       client_id: client_id,
+                       user_sp_authorized: true,
                        code_digest: kind_of(String))
                 expect(@analytics).to receive(:track_event).
                   with(
@@ -323,13 +335,17 @@
                        client_id: client_id,
                        prompt: 'select_account',
                        referer: nil,
-                       user_sp_authorized: true,
                        allow_prompt_login: true,
                        errors: {},
                        unauthorized_scope: false,
                        user_fully_authenticated: true,
                        acr_values: 'http://idmanagement.gov/ns/assurance/ial/0',
-                       scope: 'openid profile',
+                       scope: 'openid profile')
+                expect(@analytics).to receive(:track_event).
+                  with('OpenID Connect: authorization request handoff',
+                       success: true,
+                       client_id: client_id,
+                       user_sp_authorized: true,
                        code_digest: kind_of(String))
                 expect(@analytics).to receive(:track_event).
                   with(
@@ -370,13 +386,17 @@
                        client_id: client_id,
                        prompt: 'select_account',
                        referer: nil,
-                       user_sp_authorized: true,
                        allow_prompt_login: true,
                        errors: {},
                        unauthorized_scope: false,
                        user_fully_authenticated: true,
                        acr_values: 'http://idmanagement.gov/ns/assurance/ial/0',
-                       scope: 'openid profile',
+                       scope: 'openid profile')
+                expect(@analytics).to receive(:track_event).
+                  with('OpenID Connect: authorization request handoff',
+                       success: true,
+                       client_id: client_id,
+                       user_sp_authorized: true,
                        code_digest: kind_of(String))
                 expect(@analytics).to receive(:track_event).
                   with(
@@ -459,8 +479,7 @@
                  error_details: hash_including(:prompt),
                  user_fully_authenticated: true,
                  acr_values: 'http://idmanagement.gov/ns/assurance/ial/1',
-                 scope: 'openid',
-                 code_digest: nil)
+                 scope: 'openid')
           expect(@analytics).to_not receive(:track_event).with('SP redirect initiated')
 
           action
@@ -491,8 +510,7 @@
                  error_details: hash_including(:client_id),
                  user_fully_authenticated: true,
                  acr_values: 'http://idmanagement.gov/ns/assurance/ial/1',
-                 scope: 'openid',
-                 code_digest: nil)
+                 scope: 'openid')
           expect(@analytics).to_not receive(:track_event).with('SP redirect initiated')
 
           action
@@ -541,6 +559,20 @@
       end
 
       it 'redirects to SP landing page with the request_id in the params' do
+        stub_analytics
+        expect(@analytics).to receive(:track_event).
+          with('OpenID Connect: authorization request',
+               success: true,
+               client_id: client_id,
+               prompt: 'select_account',
+               referer: nil,
+               allow_prompt_login: true,
+               errors: {},
+               unauthorized_scope: true,
+               user_fully_authenticated: false,
+               acr_values: 'http://idmanagement.gov/ns/assurance/ial/1',
+               scope: 'openid')
+
         action
         sp_request_id = ServiceProviderRequestProxy.last.uuid