Merge pull request kubeguard#378 from gambtho/thgamble/log-token-claim

log token claims at verbose level when failing token verification

auth/providers/azure/azure.go

@@ -33,6 +33,7 @@ import (
 
 	"github.com/Azure/go-autorest/autorest/azure"
 	"github.com/coreos/go-oidc"
+	"github.com/golang-jwt/jwt/v4"
 	"github.com/hashicorp/go-retryablehttp"
 	"github.com/pkg/errors"
 	"golang.org/x/oauth2"
@@ -263,6 +264,11 @@ func (s Authenticator) Check(ctx context.Context, token string) (*authv1.UserInf
 	ctx = withRetryableHttpClient(ctx, s.HttpClientRetryCount)
 	idToken, err := s.verifier.Verify(ctx, token)
 	if err != nil {
+		if klog.V(7).Enabled() {
+			if claims, err := extractTokenClaims(token); err == nil {
+				klog.V(7).Infof("token claims: %s", claims)
+			}
+		}
 		return nil, errors.Wrap(err, "failed to verify token for azure")
 	}
 
@@ -455,3 +461,20 @@ func getAuthInfo(ctx context.Context, environment, tenantID string, retryCount i
 		Issuer:      metadata.Issuer,
 	}, nil
 }
+
+func extractTokenClaims(rawToken string) (string, error) {
+	token, _, err := new(jwt.Parser).ParseUnverified(rawToken, jwt.MapClaims{})
+	if err != nil {
+		return "", err
+	}
+
+	if claims, ok := token.Claims.(jwt.MapClaims); ok {
+		payload, err := json.Marshal(claims)
+		if err != nil {
+			return "", err
+		}
+		return string(payload), nil
+	}
+
+	return "", errors.New("Invalid JWT Token")
+}

auth/providers/azure/token_test.go

@@ -0,0 +1,53 @@
+/*
+Copyright The Guard Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package azure
+
+import (
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+)
+
+func TestExtractTokenClaimsWithValidToken(t *testing.T) {
+	mySigningKey := []byte("AllYourBase")
+
+	// Create the Claims
+	claims := &jwt.RegisteredClaims{
+		ExpiresAt: jwt.NewNumericDate(time.Unix(1516239022, 0)),
+		Issuer:    "test",
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	ss, err := token.SignedString(mySigningKey)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	extractedClaims, err := extractTokenClaims(ss)
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Logf("claims: %s", extractedClaims)
+}
+
+func TestExtractTokenClaimsWithInvalidToken(t *testing.T) {
+	_, err := extractTokenClaims("")
+	if err == nil {
+		t.Fatal("expected to see the error with invalid token")
+	}
+}

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/go-chi/chi/v5 v5.0.8
 	github.com/go-ldap/ldap/v3 v3.4.4
 	github.com/golang-jwt/jwt v3.2.2+incompatible
+	github.com/golang-jwt/jwt/v4 v4.2.0
 	github.com/google/go-github/v50 v50.1.0
 	github.com/google/gofuzz v1.2.0
 	github.com/google/uuid v1.3.0
@@ -81,7 +82,6 @@ require (
 	github.com/go-openapi/swag v0.19.14 // indirect
 	github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.2.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/btree v1.0.1 // indirect