Adding WWW-Authenticate info.

when glare requests are failing with "401 Unauthorized"
against keycloak, more data can be added to the logs,
to understand the reason better.

In case keycloak return 401 it must provide the www-Authenticate
response header with the reason:
https://www.w3.org/Protocols/HTTP/1.0/spec.html#WWW-Authenticate

This code take care of it by adding the WWW-Authenticate value to
glare api-log.

Change-Id: Ia3966ad00868b559874610f552c8e491d8a01acd
This commit is contained in:
Idan Narotzki 2018-04-10 10:10:14 -06:00
parent 9419d4d970
commit 5e60d27376
1 changed files with 7 additions and 2 deletions

View File

@ -121,6 +121,10 @@ class KeycloakAuthMiddleware(base_middleware.Middleware):
if resp.status_code == 400:
raise exception.BadRequest(message=resp.text)
if resp.status_code == 401:
LOG.warning("HTTP response from OIDC provider:"
" [%s] with WWW-Authenticate: [%s]",
pprint.pformat(resp.text),
resp.headers.get("WWW-Authenticate"))
raise exception.Unauthorized(message=resp.text)
if resp.status_code == 403:
raise exception.Forbidden(message=resp.text)
@ -147,8 +151,9 @@ class KeycloakAuthMiddleware(base_middleware.Middleware):
try:
decoded = jwt.decode(access_token, algorithms=['RS256'],
verify=False)
except Exception:
msg = _("Token can't be decoded because of wrong format.")
except Exception as e:
msg = _("Token can't be decoded because of wrong format %s")\
% str(e)
LOG.error(msg)
raise exception.Unauthorized()