From 725f8265137fc44acac8b57f4347b339e4f5d7ac Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Tue, 7 Apr 2026 10:39:53 +0200
Subject: [PATCH] debug: log access_token format to diagnose opaque vs JWT

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../com/cameleer3/server/app/security/OidcTokenExchanger.java | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
index 87538772..af4e68a8 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
@@ -117,6 +117,10 @@ public class OidcTokenExchanger {
         // Try roles from access_token first (JWT providers like Logto, Keycloak),
         // then fall back to id_token
         List<String> roles = Collections.emptyList();
+        log.info("OIDC access_token: isJwt={}, length={}, prefix='{}'",
+                accessTokenStr != null && accessTokenStr.contains("."),
+                accessTokenStr != null ? accessTokenStr.length() : 0,
+                accessTokenStr != null ? accessTokenStr.substring(0, Math.min(30, accessTokenStr.length())) : "null");
         if (accessTokenStr != null && accessTokenStr.contains(".")) {
             try {
                 String audience = config.audience() != null ? config.audience() : "";