cameleer/cameleer-server
1
0
Fork 0
Code Issues 41 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add diagnostic logging for OIDC scope and role extraction
Some checks failed
CI / cleanup-branch (push) Has been skipped
Details
CI / build (push) Successful in 1m7s
Details
CI / docker (push) Has started running
Details
CI / deploy (push) Has been cancelled
Details
CI / deploy-feature (push) Has been cancelled
Details

Browse Source 
Logs received scopes, rolesClaim path, extracted roles, and all claim
keys at each stage of the OIDC auth flow to help debug Logto integration.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
hsiegeln
2026-04-07 09:16:42 +02:00
parent 23e90d6afb
commit 8852ec1483
3 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/JwtAuthenticationFilter.java
View File

@@ -111,7 +111,10 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
*/
private List<String> extractRolesFromScopes(Jwt jwt) {
String scopeStr = jwt.getClaimAsString("scope");
log.info("OIDC access token scopes: '{}', subject={}, all claims={}",
scopeStr, jwt.getSubject(), jwt.getClaims().keySet());
if (scopeStr == null || scopeStr.isBlank()) {
log.warn("OIDC token has no 'scope' claim — defaulting to VIEWER");
return List.of("VIEWER");
}
for (String scope : scopeStr.split(" ")) {
@@ -120,6 +123,7 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
if ("OPERATOR".equals(normalized)) return List.of("OPERATOR");
if ("VIEWER".equals(normalized)) return List.of("VIEWER");
}
log.warn("OIDC scopes '{}' contain no recognized role — defaulting to VIEWER", scopeStr);
return List.of("VIEWER");
}

2
cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcAuthController.java
View File

@@ -173,6 +173,8 @@ public class OidcAuthController {
private void syncOidcRoles(String userId, List<String> oidcRoles, OidcConfig config) {
List<String> roleNames = !oidcRoles.isEmpty() ? oidcRoles : config.defaultRoles();
log.info("syncOidcRoles: userId={}, oidcRoles={}, defaultRoles={}, using={}",
userId, oidcRoles, config.defaultRoles(), roleNames);
// Resolve desired role IDs from OIDC scopes
Set<UUID> desired = new HashSet<>();

3
cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
View File

@@ -111,7 +111,8 @@ public class OidcTokenExchanger {
List<String> roles = extractRoles(claims, config.rolesClaim());
log.info("OIDC user authenticated: id={}, email={}", subject, email);
log.info("OIDC user authenticated: id={}, email={}, rolesClaim='{}', extractedRoles={}, allClaims={}",
subject, email, config.rolesClaim(), roles, claims.getClaims().keySet());
return new OidcUserInfo(subject, email != null ? email : "", name != null ? name : "", roles, idTokenStr);
}