diff --git a/openid_connect.js b/openid_connect.js
index e39f1a6..1a1de4f 100644
--- a/openid_connect.js
+++ b/openid_connect.js
@@ -56,10 +56,10 @@ async function codeExchange(r) {
// Check authorization code presence
if (!r.variables.arg_code || r.variables.arg_code.length == 0) {
if (r.variables.arg_error) {
- r.error("OIDC error receiving authorization code: " +
+ r.error("OIDC error receiving authorization code for " + r.headersIn['host'] + r.uri + ": " +
r.variables.arg_error_description);
} else {
- r.error("OIDC expected authorization code but received: " + r.uri);
+ r.error("OIDC expected authorization code for " + r.headersIn['host'] + " but received: " + r.uri);
}
r.return(502);
return;
@@ -95,7 +95,7 @@ function getTokenClaims(r, token) {
r.subrequest('/_token_validation', 'token=' + token,
function(reply) {
if (reply.status !== 200) {
- r.error("Failed to retrieve claims: HTTP " + reply.status);
+ r.error("Failed to retrieve claims for " + r.headersIn['host'] + r.uri + ": HTTP " + reply.status);
resolve(null);
return;
}
@@ -103,7 +103,7 @@ function getTokenClaims(r, token) {
const claims = JSON.parse(reply.responseText);
resolve(claims);
} catch (e) {
- r.error("Failed to parse claims: " + e);
+ r.error("Failed to parse claims for " + r.headersIn['host'] + r.uri + ": " + e);
resolve(null);
}
}
@@ -131,21 +131,21 @@ function validateIdTokenClaims(r, claims) {
const missingClaims = requiredClaims.filter((claim) => !claims[claim]);
if (missingClaims.length > 0) {
- r.error(`OIDC ID Token validation error: missing claim(s) ${missingClaims.join(' ')}`);
+ r.error(`OIDC ID Token validation error for " + r.headersIn['host'] + r.uri + ": missing claim(s) ${missingClaims.join(' ')}`);
return false;
}
// Check 'iat' validity
const iat = Math.floor(Number(claims.iat));
if (String(iat) !== claims.iat || iat < 1) {
- r.error("OIDC ID Token validation error: iat claim is not a valid number");
+ r.error("OIDC ID Token validation error for " + r.headersIn['host'] + r.uri + ": iat claim is not a valid number");
return false;
}
// Audience must include the configured client
const aud = Array.isArray(claims.aud) ? claims.aud : claims.aud.split(',');
if (!aud.includes(r.variables.oidc_client)) {
- r.error(`OIDC ID Token validation error: aud claim (${claims.aud}) ` +
+ r.error(`OIDC ID Token validation error for " + r.headersIn['host'] + r.uri + ": aud claim (${claims.aud}) ` +
`does not include $oidc_client (${r.variables.oidc_client})`);
return false;
}
@@ -160,12 +160,12 @@ function validateIdTokenClaims(r, claims) {
: '';
if (claims.nonce !== clientNonceHash) {
- r.error(`OIDC ID Token validation error: nonce from token (${claims.nonce}) ` +
+ r.error(`OIDC ID Token validation error for " + r.headersIn['host'] + r.uri + ": nonce from token (${claims.nonce}) ` +
`does not match client (${clientNonceHash})`);
return false;
}
} else if (isNewSession(r)) {
- r.error("OIDC ID Token validation error: " +
+ r.error("OIDC ID Token validation error for " + r.headersIn['host'] + r.uri + ": " +
"missing nonce claim during initial authentication.");
return false;
}
@@ -227,7 +227,7 @@ async function exchangeCodeForTokens(r) {
});
if (reply.status === 504) {
- r.error("OIDC timeout connecting to IdP during code exchange");
+ r.error("OIDC timeout connecting to IdP during code exchange for " + r.headersIn['host'] + r.uri);
r.return(504);
return null;
}
@@ -241,13 +241,13 @@ async function exchangeCodeForTokens(r) {
try {
const tokenset = JSON.parse(reply.responseText);
if (tokenset.error) {
- r.error("OIDC " + tokenset.error + " " + tokenset.error_description);
+ r.error("OIDC for " + r.headersIn['host'] + r.uri + " " + tokenset.error + " " + tokenset.error_description);
r.return(500);
return null;
}
return tokenset;
} catch (e) {
- r.error("OIDC token response not JSON: " + reply.responseText);
+ r.error("OIDC token response not JSON for " + r.headersIn['host'] + r.uri + ": " + reply.responseText);
r.return(502);
return null;
}
@@ -267,9 +267,9 @@ async function refreshTokens(r) {
try {
const tokenset = JSON.parse(reply.responseText);
if (!tokenset.id_token) {
- r.error("OIDC refresh response did not include id_token");
+ r.error("OIDC refresh response for " + r.headersIn['host'] + r.uri + " did not include id_token");
if (tokenset.error) {
- r.error("OIDC " + tokenset.error + " " + tokenset.error_description);
+ r.error("OIDC for " + r.headersIn['host'] + r.uri + " " + tokenset.error + " " + tokenset.error_description);
}
return null;
}
@@ -336,13 +336,13 @@ async function handleFrontChannelLogout(r) {
// Validate input parameters
if (!sid) {
- r.error("Missing sid parameter in front-channel logout request");
+ r.error("Missing sid parameter in front-channel logout request for " + r.headersIn['host'] + r.uri);
r.return(400, "Missing sid");
return;
}
if (!requestIss) {
- r.error("Missing iss parameter in front-channel logout request");
+ r.error("Missing iss parameter in front-channel logout request for " + r.headersIn['host'] + r.uri);
r.return(400, "Missing iss");
return;
}
@@ -373,7 +373,7 @@ async function handleFrontChannelLogout(r) {
const claims = await getTokenClaims(r, sessionJwt);
if (claims.iss !== requestIss) {
- r.error("Issuer mismatch during logout. Received iss: " +
+ r.error("Issuer mismatch during logout for " + r.headersIn['host'] + r.uri + " Received iss: " +
requestIss + ", expected: " + claims.iss);
r.return(400, "Issuer mismatch");
return;
@@ -401,7 +401,7 @@ function initiateNewAuth(r) {
);
if (missingConfig.length) {
- r.error("OIDC missing configuration variables: $oidc_" + missingConfig.join(" $oidc_"));
+ r.error("OIDC missing configuration variables for " + r.headersIn['host'] + r.uri + ": $oidc_" + missingConfig.join(" $oidc_"));
r.return(500, r.variables.internal_error_message);
return;
}
@@ -467,7 +467,7 @@ function generateTokenRequestParams(r, grant_type) {
body += "&refresh_token=" + r.variables.refresh_token;
break;
default:
- r.error("Unsupported grant type: " + grant_type);
+ r.error("Unsupported grant type for " + r.headersIn['host'] + r.uri + ": " + grant_type);
return;
}
@@ -493,21 +493,21 @@ function handleTokenError(r, reply) {
try {
const errorset = JSON.parse(reply.responseText);
if (errorset.error) {
- r.error("OIDC error from IdP during token exchange: " +
+ r.error("OIDC error from IdP during token exchange for " + r.headersIn['host'] + r.uri + ": " +
errorset.error + ", " + errorset.error_description);
} else {
- r.error("OIDC unexpected response from IdP (HTTP " +
+ r.error("OIDC unexpected response from IdP for " + r.headersIn['host'] + r.uri + " (HTTP " +
reply.status + "). " + reply.responseText);
}
} catch (e) {
- r.error("OIDC unexpected response from IdP (HTTP " + reply.status + "). " +
+ r.error("OIDC unexpected response from IdP for " + r.headersIn['host'] + r.uri + " (HTTP " + reply.status + "). " +
reply.responseText);
}
}
function handleRefreshError(r, reply) {
- let errorLog = "OIDC refresh failure";
+ let errorLog = "OIDC refresh failure for " + r.headersIn['host'] + r.uri;
if (reply.status === 504) {
errorLog += ", timeout waiting for IdP";
} else if (reply.status === 400) {