Dump all claims of ID token to debug log (#68)

* Dump all claims of ID token to debug log

* Add dump when a user already has a token

.circleci/config.yml

@@ -10,12 +10,13 @@ jobs:
       - run: |
           curl -L -o ~/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.14.0/bin/linux/amd64/kubectl
           chmod +x ~/bin/kubectl
+      - run: |
+          curl -L -o ~/bin/ghcp https://github.com/int128/ghcp/releases/download/v1.3.0/ghcp_linux_amd64
+          chmod +x ~/bin/ghcp
       - run: |
           go get -v \
-            golang.org/x/lint/golint \
             github.com/int128/goxzst \
-            github.com/tcnksm/ghr \
-            github.com/int128/ghcp
+            github.com/tcnksm/ghr
       - checkout
       # workaround for https://github.com/golang/go/issues/27925
       - run: sed -e '/^k8s.io\/client-go /d' -i go.sum

Makefile

@@ -8,7 +8,6 @@ LDFLAGS := -X main.version=$(CIRCLE_TAG)
 all: $(TARGET)
 
 check:
-	golint
 	go vet
 	$(MAKE) -C adaptors_test/keys/testdata
 	go test -v -race ./...

adaptors_test/cmd_test.go

@@ -171,11 +171,19 @@ func TestCmd_Run(t *testing.T) {
 
 func newIDToken(t *testing.T, issuer string) string {
 	t.Helper()
-	token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.StandardClaims{
+	var claims struct {
+		jwt.StandardClaims
+		Groups []string `json:"groups"`
+	}
+	claims.StandardClaims = jwt.StandardClaims{
 		Issuer:    issuer,
 		Audience:  "kubernetes",
 		ExpiresAt: time.Now().Add(time.Hour).Unix(),
-	})
+		Subject:   "SUBJECT",
+		IssuedAt:  time.Now().Unix(),
+	}
+	claims.Groups = []string{"admin", "users"}
+	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
 	s, err := token.SignedString(keys.JWSKeyPair)
 	if err != nil {
 		t.Fatalf("Could not sign the claims: %s", err)

usecases/login.go

@@ -73,7 +73,8 @@ func (u *Login) Do(ctx context.Context, in usecases.LoginIn) error {
 		ClientID: authProvider.ClientID(),
 		Client:   hc,
 	}); token != nil {
-		u.Logger.Printf("You already have a valid token (until %s)", token.Expiry)
+		u.Logger.Printf("You already have a valid token until %s", token.Expiry)
+		u.dumpIDToken(token)
 		return nil
 	}
 
@@ -96,8 +97,8 @@ func (u *Login) Do(ctx context.Context, in usecases.LoginIn) error {
 		return errors.Wrapf(err, "could not get token from OIDC provider")
 	}
 
-	u.Logger.Printf("Got a token for subject %s (valid until %s)", out.VerifiedIDToken.Subject, out.VerifiedIDToken.Expiry)
-	u.Logger.Debugf(1, "Got an ID token %+v", out.VerifiedIDToken)
+	u.Logger.Printf("You got a valid token until %s", out.VerifiedIDToken.Expiry)
+	u.dumpIDToken(out.VerifiedIDToken)
 	authProvider.SetIDToken(out.IDToken)
 	authProvider.SetRefreshToken(out.RefreshToken)
 
@@ -109,6 +110,16 @@ func (u *Login) Do(ctx context.Context, in usecases.LoginIn) error {
 	return nil
 }
 
+func (u *Login) dumpIDToken(token *oidc.IDToken) {
+	var claims map[string]interface{}
+	if err := token.Claims(&claims); err != nil {
+		u.Logger.Debugf(1, "Error while inspection of the ID token: %s", err)
+	}
+	for k, v := range claims {
+		u.Logger.Debugf(1, "The ID token has the claim: %s=%v", k, v)
+	}
+}
+
 func (u *Login) verifyIDToken(ctx context.Context, in adaptors.OIDCVerifyTokenIn) *oidc.IDToken {
 	if in.IDToken == "" {
 		return nil
@@ -118,6 +129,5 @@ func (u *Login) verifyIDToken(ctx context.Context, in adaptors.OIDCVerifyTokenIn
 		u.Logger.Debugf(1, "Could not verify the ID token in the kubeconfig: %s", err)
 		return nil
 	}
-	u.Logger.Debugf(1, "Verified token %+v", token)
 	return token
 }