Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Insufficient logging #3849

Open
1 task done
Peperud opened this issue Sep 7, 2017 · 3 comments
Open
1 task done

Insufficient logging #3849

Peperud opened this issue Sep 7, 2017 · 3 comments
Labels
question

Comments

@Peperud
Copy link

Peperud commented Sep 7, 2017

  • I read and understood how to enable logging

Question / Issue

If for whatever reason the openid scope is not in the allowed client scopes, all that shows in the log is below. No request data info or anything else searchable to correlate.
Spend a lot of time chasing this across 6 different servers in 3 data centers. Thought I'm going mad or someone messed up with the reverse proxies...

Relevant parts of the log file

2017-09-07 13:51:22.819 -07:00 [Information] Start authorize request
2017-09-07 13:51:22.819 -07:00 [Information] Start authorize request protocol validation
2017-09-07 13:51:22.970 -07:00 [Error] Requested scope not allowed: "openid"
2017-09-07 13:51:22.970 -07:00 [Information] End authorize request
@brockallen
Copy link
Member

Not enough info. We need your client and scope config.

@Peperud
Copy link
Author

Peperud commented Sep 8, 2017

@brockallen

Not enough info. We need your client and scope config.

Not sure what the best way to provide is. Let's try this..

{
	"table": "clients",
	"rows":
	[
		{
			"Id": 156,
			"Enabled": 1,
			"ClientId": "redacted_xamarin.client",
			"ClientName": "Xamarin Test Client",
			"ClientUri": "redacted://xamarin.client/redirect",
			"LogoUri": null,
			"RequireConsent": 0,
			"AllowRememberConsent": 0,
			"Flow": 1,
			"AllowClientCredentialsOnly": 0,
			"LogoutUri": null,
			"LogoutSessionRequired": 0,
			"AllowAccessToAllScopes": 0,
			"IdentityTokenLifetime": 300,
			"AccessTokenLifetime": 3600,
			"AuthorizationCodeLifetime": 300,
			"AbsoluteRefreshTokenLifetime": 0,
			"SlidingRefreshTokenLifetime": 0,
			"RefreshTokenUsage": 0,
			"UpdateAccessTokenOnRefresh": 0,
			"RefreshTokenExpiration": 0,
			"AccessTokenType": 1,
			"EnableLocalLogin": 1,
			"IncludeJwtId": 0,
			"AlwaysSendClientClaims": 0,
			"PrefixClientClaims": 0,
			"AllowAccessToAllGrantTypes": 0,
			"AccessType": null,
			"ShowOnDashboard": 0,
			"RequireSignOutPrompt": 0,
			"AllowAccessTokensViaBrowser": 1,
		}
	]
}
{
	"table": "scopes",
	"rows":
	[
		{
			"Id": 9,
			"Enabled": 1,
			"Name": "openid",
			"DisplayName": "openid",
			"Description": null,
			"Required": 0,
			"Emphasize": 0,
			"Type": 0,
			"IncludeAllClaimsForUser": 0,
			"ClaimsRule": null,
			"ShowInDiscoveryDocument": 0,
			"AllowUnrestrictedIntrospection": 0
		}
	]
}

If I don't have the openid scope associated with the client then I get the "Requested scope not allowed" message as I should,
However no request details get logged, which makes it difficult to match the failure to a particular request on a busy server.

ScopeValidation.cs

image

image

@brockallen
Copy link
Member

brockallen commented Nov 4, 2017
edited
Loading

I see, so you figured it out -- the openid scope was not allowed when it should be. Yea, this is a config error that ideally would have been discovered during dev time.

As for changes to the runetime, we're not making new enhancements at this time. Sorry.

Sounds like this is sorted out -- can we close?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brockallen @Peperud