FEAT: Add OIDC debug logging for authentication troubleshooting#4411
FEAT: Add OIDC debug logging for authentication troubleshooting#4411Sagar-6203620715 wants to merge 1 commit intokubernetes-sigs:mainfrom
Conversation
- Add LevelDebug to logger for verbose logging - Add --oidc-debug flag to enable OIDC flow debugging - Instrument OIDC callback handler with 6 debug checkpoints - Instrument token refresh flow with 4 debug checkpoints - Log user identity (email/name) and token metadata - Enhance error messages with issuer/endpoint context Fixes kubernetes-sigs#3576
|
Keywords which can automatically close issues and at(@) or hashtag(#) mentions are not allowed in commit messages. The list of commits with invalid commit messages:
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Sagar-6203620715 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Thanks for this. Please check the commit messages match the style wee use? Also please check if it compiles and passes checks locally, see backend part of the contributing docs. |
There was a problem hiding this comment.
Pull request overview
This pull request adds comprehensive debug logging capabilities for OIDC authentication flows to help troubleshoot authentication loops and token refresh failures. The changes introduce a new LevelDebug log level, add an --oidc-debug command-line flag, and instrument key points in the OIDC callback and token refresh flows with detailed debug logging.
Changes:
- Added
LevelDebugconstant and handler to the logger package - Added
OidcDebugconfiguration field and--oidc-debugflag - Modified
RefreshAndCacheNewTokento accept a debug flag and log token refresh operations - Added debug logging checkpoints throughout the OIDC callback handler and token refresh flow
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| backend/pkg/logger/logger.go | Adds LevelDebug constant and debug case to logging switch |
| backend/pkg/config/config.go | Adds OidcDebug configuration field and --oidc-debug flag |
| backend/pkg/auth/auth.go | Adds debugEnabled parameter to RefreshAndCacheNewToken and logs token refresh initiation |
| backend/cmd/headlamp.go | Adds oidcDebug field and implements debug logging at 10+ checkpoints in OIDC flows |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| idToken, err := oauthConfig.Verifier.Verify(oauthConfig.Ctx, rawUserToken) | ||
| if err != nil { | ||
| logger.Log(logger.LevelError, nil, err, "failed to verify ID Token") | ||
| logger.Log(logger.LevelError, nil, err, "failed to verify ID Token signature") |
There was a problem hiding this comment.
Critical syntax error: Line 879 has a complete logger.Log call, but lines 880-881 contain orphaned code that appears to be part of an incomplete map literal and duplicate logger.Log call. This will cause a compilation error. The code should either be:
- Remove lines 880-881 entirely if the enhanced error logging was meant to replace line 879, OR
- Fix line 879 to include the map parameter like:
logger.Log(logger.LevelError, map[string]string{"issuer": oidcAuthConfig.IdpIssuerURL}, err, "failed to verify ID Token signature")
| logger.Log(logger.LevelError, nil, err, "failed to verify ID Token signature") | |
| logger.Log(logger.LevelError, map[string]string{ |
| func RefreshAndCacheNewToken(ctx context.Context, oidcAuthConfig *kubeconfig.OidcConfig, debugEnabled bool, | ||
| cache cache.Cache[interface{}], | ||
| tokenType, token, issuerURL string, | ||
| ) (*oauth2.Token, error) { |
There was a problem hiding this comment.
The function signature for RefreshAndCacheNewToken has been changed to add a debugEnabled bool parameter, but the test calls in auth_test.go have not been updated. This will cause compilation failures. All test calls to this function need to be updated to include the debugEnabled parameter (likely passing false for tests).
|
PR needs rebase. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Summary
Adds comprehensive debug logging for OIDC authentication flow to troubleshoot auth loops and token refresh failures.
Root Cause Identified
Users experiencing OIDC authentication loops (successful IdP login → immediate re-login on every UI action) had zero diagnostic visibility. Existing logs only showed generic errors like "failed to refresh token" with no context about:
This made troubleshooting OIDC issues across different providers (Azure AD, Keycloak, Authelia, GKE) nearly impossible.
Fix Applied
Adds opt-in debug logging to trace the complete OIDC authentication flow:
Changes
LevelDebugto logger - New debug level for verbose logging--oidc-debugflag - Enable OIDC flow debugging (off by default)Related Issue
Fixes #3576
Testing
Enable Debug Logging
Expected Debug Output
When OIDC login occurs, logs will show:
{"level":"debug","message":"OIDC callback received","endpoint":"/oidc-callback"} {"level":"debug","message":"OIDC state validated successfully","state":"abc12345..."} {"level":"debug","message":"Token exchange successful","token_type":"id_token","has_refresh":"true","expires_in":"1h0m0s"} {"level":"debug","message":"ID Token verified successfully","subject":"user@example.com","issuer":"https://idp.example.com"} {"level":"debug","message":"User claims extracted successfully","user_email":"user@example.com","user_name":"John Doe"} {"level":"debug","message":"OIDC login completed, redirecting to UI","cluster":"production"}Built & Run
Impact
Notes for Reviewers
config.oidcDebugflag