cameleer/cameleer-server
1
0
Fork 0
Code Issues 44 Pull Requests Actions Packages Projects Releases Wiki Activity

fix: log access_token claims and audience mismatch during OIDC exchange
Some checks failed
CI / cleanup-branch (push) Has been skipped
Details
CI / build (push) Successful in 1m13s
Details
CI / deploy (push) Has been cancelled
Details
CI / deploy-feature (push) Has been cancelled
Details
CI / docker (push) Has been cancelled
Details

Browse Source 
Helps diagnose whether rolesClaim path matches the actual token structure.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-07 10:32:34 +02:00
parent d4b530ff8a
commit 11fc85e2b9
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
View File

@@ -122,10 +122,13 @@ public class OidcTokenExchanger {
String audience = config.audience() != null ? config.audience() : ""; String audience = config.audience() != null ? config.audience() : "";
JWTClaimsSet atClaims = decodeAccessToken(accessTokenStr, config.issuerUri(), audience); JWTClaimsSet atClaims = decodeAccessToken(accessTokenStr, config.issuerUri(), audience);
if (atClaims != null) { if (atClaims != null) {
log.info("OIDC access_token claims: {}", atClaims.getClaims().keySet());
roles = extractRoles(atClaims, config.rolesClaim()); roles = extractRoles(atClaims, config.rolesClaim());
if (!roles.isEmpty()) { if (!roles.isEmpty()) {
log.info("OIDC roles from access_token: {}", roles); log.info("OIDC roles from access_token: {}", roles);
} }
} else {
log.info("OIDC access_token audience mismatch (expected='{}')", audience);
} }
} catch (Exception e) { } catch (Exception e) {
log.debug("Could not decode access_token as JWT: {}", e.getMessage()); log.debug("Could not decode access_token as JWT: {}", e.getMessage());