[FEAT/BE] resolve jwks

2026-05-20 13:31:56 +00:00 · 2026-02-24 15:16:09 +07:00
parent 5fb7a78a5a
commit f6f4cc5a10
4 changed files with 240 additions and 19 deletions
@@ -196,7 +196,11 @@ func (h *Controller) Refresh(c *fiber.Ctx) error {

 	verification, err := sso.VerifyAccessToken(tokenResp.AccessToken)
 	if err != nil {
-		utils.Log.Errorf("access token verification failed: %v", err)
+		if sso.IsSignatureError(err) {
+			logSignatureError("sso refresh", "sso_token", tokenResp.AccessToken, err)
+		} else {
+			utils.Log.Errorf("access token verification failed: %v", err)
+		}
 		return fiber.NewError(fiber.StatusUnauthorized, "invalid access token")
 	}

@@ -304,7 +308,11 @@ func (h *Controller) Callback(c *fiber.Ctx) error {

 	verification, err := sso.VerifyAccessToken(tokenResp.AccessToken)
 	if err != nil {
-		utils.Log.Errorf("access token verification failed: %v", err)
+		if sso.IsSignatureError(err) {
+			logSignatureError("sso callback", "sso_token", tokenResp.AccessToken, err)
+		} else {
+			utils.Log.Errorf("access token verification failed: %v", err)
+		}
 		return fiber.NewError(fiber.StatusUnauthorized, "invalid access token")
 	}

@@ -337,6 +345,22 @@ func (h *Controller) UserInfo(c *fiber.Ctx) error {

 	token := strings.TrimSpace(c.Cookies(accessName))
 	tokenFromCookie := token != ""
+	usedCookieName := accessName
+
+	if !tokenFromCookie {
+		for _, name := range config.SSOAccessCookieFallback {
+			name = strings.TrimSpace(name)
+			if name == "" || name == accessName {
+				continue
+			}
+			token = strings.TrimSpace(c.Cookies(name))
+			if token != "" {
+				tokenFromCookie = true
+				usedCookieName = name
+				break
+			}
+		}
+	}

 	if !tokenFromCookie {
 		authHeader := strings.TrimSpace(c.Get("Authorization"))
@@ -363,7 +387,11 @@ func (h *Controller) UserInfo(c *fiber.Ctx) error {
 	}

 	if _, err := sso.VerifyAccessToken(token); err != nil {
-		utils.Log.WithError(err).Warn("access token verification failed for userinfo")
+		if sso.IsSignatureError(err) {
+			logSignatureError("sso userinfo", "request", token, err)
+		} else {
+			utils.Log.WithError(err).Warn("access token verification failed for userinfo")
+		}
 		return fiber.NewError(fiber.StatusUnauthorized, "unauthenticated")
 	}

@@ -382,7 +410,7 @@ func (h *Controller) UserInfo(c *fiber.Ctx) error {
 	// SSO /auth/get-me expects the access cookie; add Authorization as well for compatibility.
 	req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", token))
 	if tokenFromCookie {
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", accessName, token))
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", usedCookieName, token))
 	}

 	resp, err := h.httpClient.Do(req)
@@ -836,6 +864,27 @@ func resolveSSOCookieName(configuredName, fallback string) string {
 	return strings.TrimSpace(fallback)
 }

+func logSignatureError(ctxLabel, tokenSource, token string, err error) {
+	info := sso.ExtractTokenInfo(token)
+	aud := strings.Join(info.Aud, ",")
+	utils.Log.Errorf(
+		"access token verification failed: %v | ctx=%s source=%s iss=%s kid=%s aud=%s sub=%s exp=%d iat=%d nbf=%d expected_iss=%s expected_aud=%v jwks=%s",
+		err,
+		ctxLabel,
+		tokenSource,
+		info.Iss,
+		info.Kid,
+		aud,
+		info.Sub,
+		info.Exp,
+		info.Iat,
+		info.Nbf,
+		config.SSOIssuer,
+		config.SSOAllowedAudiences,
+		config.SSOJWKSURL,
+	)
+}
+
 func normalizeClientParam(raw string) string {
 	value := strings.TrimSpace(raw)
 	if value == "" {