From b6a402ab5fb2e74e7778a0e1f6e572425f410491 Mon Sep 17 00:00:00 2001
From: Alexandre Dutra <adutra@apache.org>
Date: Tue, 12 Aug 2025 21:40:05 +0200
Subject: [PATCH] JWTBroker: move error message

This change moves the `LOGGER.error` call when a token cannot be verified from `verify()` to `generateFromToken()`.

On the token generation path, this should be a no-op; however, on the authentication path, this log message was excessive, especially when using mixed authentication since a failure to decode a token is perfectly normal when the token is from an external IDP.
---
 .../main/java/org/apache/polaris/service/auth/JWTBroker.java | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/runtime/service/src/main/java/org/apache/polaris/service/auth/JWTBroker.java b/runtime/service/src/main/java/org/apache/polaris/service/auth/JWTBroker.java
index 48d5735a10..c591ca1232 100644
--- a/runtime/service/src/main/java/org/apache/polaris/service/auth/JWTBroker.java
+++ b/runtime/service/src/main/java/org/apache/polaris/service/auth/JWTBroker.java
@@ -89,8 +89,8 @@ public String getScope() {
       };
 
     } catch (JWTVerificationException e) {
-      LOGGER.error("Failed to verify the token with error", e);
-      throw new NotAuthorizedException("Failed to verify the token");
+      throw (NotAuthorizedException)
+          new NotAuthorizedException("Failed to verify the token").initCause(e);
     }
   }
 
@@ -115,6 +115,7 @@ public TokenResponse generateFromToken(
     try {
       decodedToken = verify(subjectToken);
     } catch (NotAuthorizedException e) {
+      LOGGER.error("Failed to verify the token", e.getCause());
       return new TokenResponse(Error.invalid_client);
     }
     EntityResult principalLookup =