|
24 | 24 | from marshmallow import Schema, ValidationError, fields, post_load, pre_load |
25 | 25 | from werkzeug.utils import secure_filename |
26 | 26 |
|
| 27 | +from renku.ui.service.logger import service_log |
| 28 | + |
27 | 29 | JWT_TOKEN_SECRET = os.getenv("RENKU_JWT_TOKEN_SECRET", "bW9menZ3cnh6cWpkcHVuZ3F5aWJycmJn") |
28 | 30 |
|
29 | 31 |
|
@@ -95,14 +97,18 @@ def decode_token(token): |
95 | 97 | @staticmethod |
96 | 98 | def decode_user(data): |
97 | 99 | """Extract renku user from the Keycloak ID token which is a JWT.""" |
| 100 | + service_log.info(f"decoding token {data}") |
98 | 101 | try: |
99 | 102 | jwk = cast(jwt.PyJWKClient, current_app.config["KEYCLOAK_JWK_CLIENT"]) |
100 | 103 | key = jwk.get_signing_key_from_jwt(data) |
| 104 | + service_log.info(f"trying with key {key.key} and algo RS256") |
101 | 105 | decoded = jwt.decode(data, key=key.key, algorithms=["RS256"], audience="renku") |
102 | | - except jwt.PyJWTError: |
| 106 | + except jwt.PyJWTError as e: |
103 | 107 | # NOTE: older tokens used to be signed with HS256 so use this as a backup if the validation with RS256 |
104 | 108 | # above fails. We used to need HS256 because a step that is now removed was generating an ID token and |
105 | 109 | # signing it from data passed in individual header fields. |
| 110 | + service_log.info(f"original error {e}") |
| 111 | + service_log.info("trying with HS256") |
106 | 112 | decoded = jwt.decode(data, JWT_TOKEN_SECRET, algorithms=["HS256"], audience="renku") |
107 | 113 | return UserIdentityToken().load(decoded) |
108 | 114 |
|
|
0 commit comments