return fmt.Errorf("error setting up OpenID Connect provider: %s", err)
}
if ok, err := ta.checkAccessTokenScope(ctx, tok); err != nil || !ok {
+ // Note checkAccessTokenScope logs any interesting errors
ta.cache.Add(tok, time.Now().Add(tokenCacheNegativeTTL))
return err
}
}
userinfo, err := ta.ctrl.provider.UserInfo(ctx, oauth2.StaticTokenSource(oauth2Token))
if err != nil {
+ ctxlog.FromContext(ctx).WithError(err).WithField("HMAC", hmac).Info("UserInfo failed (not an OIDC token?), caching negative result")
ta.cache.Add(tok, time.Now().Add(tokenCacheNegativeTTL))
return nil
}
return true, nil
}
}
- ctxlog.FromContext(ctx).WithFields(logrus.Fields{"have": claims.Scope, "need": ta.ctrl.AcceptAccessTokenScope}).Infof("unacceptable access token scope")
+ ctxlog.FromContext(ctx).WithFields(logrus.Fields{"have": claims.Scope, "need": ta.ctrl.AcceptAccessTokenScope}).Info("unacceptable access token scope")
return false, httpserver.ErrorWithStatus(errors.New("unacceptable access token scope"), http.StatusUnauthorized)
}