diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java
index fd4544f..bb68409 100755
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/BearerTokenRequestAuthenticator.java
@@ -23,6 +23,8 @@ import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.common.VerificationException;
+import org.keycloak.jose.jws.JWSInput;
+import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.representations.AccessToken;
import javax.security.cert.X509Certificate;
@@ -83,6 +85,16 @@ public class BearerTokenRequestAuthenticator {
}
protected AuthOutcome authenticateToken(HttpFacade exchange, String tokenString) {
+ log.debug("Verifying access_token");
+ if (log.isTraceEnabled()) {
+ try {
+ JWSInput jwsInput = new JWSInput(tokenString);
+ String wireString = jwsInput.getWireString();
+ log.tracef("\taccess_token: %s", wireString.substring(0, wireString.lastIndexOf(".")) + ".signature");
+ } catch (JWSInputException e) {
+ log.errorf(e, "Failed to parse access_token: %s", tokenString);
+ }
+ }
try {
token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment);
} catch (VerificationException e) {
@@ -124,6 +136,7 @@ public class BearerTokenRequestAuthenticator {
}
surrogate = chain[0].getSubjectDN().getName();
}
+ log.debug("successful authorized");
return AuthOutcome.AUTHENTICATED;
}
diff --git a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
index 6d7e660..7b0ee80 100755
--- a/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
+++ b/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/OAuthRequestAuthenticator.java
@@ -350,6 +350,14 @@ public class OAuthRequestAuthenticator {
tokenString = tokenResponse.getToken();
refreshToken = tokenResponse.getRefreshToken();
idTokenString = tokenResponse.getIdToken();
+
+ log.debug("Verifying tokens");
+ if (log.isTraceEnabled()) {
+ logToken("\taccess_token", tokenString);
+ logToken("\tid_token", idTokenString);
+ logToken("\trefresh_token", refreshToken);
+ }
+
try {
token = AdapterRSATokenVerifier.verifyToken(tokenString, deployment);
if (idTokenString != null) {
@@ -404,4 +412,13 @@ public class OAuthRequestAuthenticator {
return originalUri;
}
+ private void logToken(String name, String token) {
+ try {
+ JWSInput jwsInput = new JWSInput(token);
+ String wireString = jwsInput.getWireString();
+ log.tracef("\t%s: %s", name, wireString.substring(0, wireString.lastIndexOf(".")) + ".signature");
+ } catch (JWSInputException e) {
+ log.errorf(e, "Failed to parse %s: %s", name, token);
+ }
+ }
}
