Expected Behavior
The Jwt Validators that are provided on the oauth jose package have no logging in them when they fail. It makes it hard when debugging to understand when a Jwt Token has failed and for what reason. I'm not sure if this is on purpose for security reasons to not log the failure
Current Behavior
No loggin in the default JWT Validators
Context
This has slowed down debugging and understanding which validator has failed. Debug messages when the logging is set to debug would be helpful.
To get an insight into what JWTs are failing have patched the validators and manually setup the JwtDecoder/ReactiveJwtDecoder.
They can not be extended as they are all Final so patching is the only option.
Comment From: jzheaux
Thanks for raising this, @Budlee. We certainly want to ensure that there's enough logging available.
Before knowing what the right change is, let's get on the same page about what is missing. In Spring Security, each authentication filter logs failures at the DEBUG level, so you can do:
logging:
level:
org.springframework.security: DEBUG
and you'll see failure information, for example when a bearer token fails validation.
On the Servlet side, you'll see an exception like:
...
Caused by: com.nimbusds.jose.proc.BadJWSException: Signed JWT rejected: Invalid signature
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:405) ~[nimbus-jose-jwt-8.17.1.jar:8.17.1]
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:330) ~[nimbus-jose-jwt-8.17.1.jar:8.17.1]
at org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder.createClaimsSet(NimbusReactiveJwtDecoder.java:531) ~[spring-security-oauth2-jose-5.4.0-SNAPSHOT.jar:5.4.0-SNAPSHOT]
... 63 common frames omitted
On the WebFlux side, you'll see a simple message:
Authentication failed: Failed to validate the token
I think things can be improved on the WebFlux side, and perhaps they can be improved on the Servlet side as well.
Can you elaborate on what information that you aren't able to get that you need?
Comment From: Budlee
@jzheaux this is why i did not see it as I am using reactive for pretty much everything currently.
Would you accept a PR that adds more logging to the reactive implementation and are there any constaints?
Comment From: jzheaux
Got it, makes sense.
a PR that adds more logging
You've come at the right time. :) Logging is something we're taking a look at generally for the 5.4 release. Some initial work on the reactive side was just merged.
Now, to set expectations, plenty may change in Spring Security's logging story between now and the release. But, I think one place that would probably give you quite a bit more than you have right now would be to log the full exception in AuthenticationWebFilter like is done on the servlet side. Currently, I think it only does "Authentication Failed: " + e.getMessage() or similar.
Comment From: Budlee
@jzheaux i've added some additional debug messages for Jwt and the ReactiveAuth manager. Any suggestions