Add additional logging to troubleshoot failed backchannel logout issu… #632
Conversation
…es + don't show clientSecret/secret in debug logs
There was a problem hiding this comment.
Pull Request Overview
This PR enhances troubleshooting capabilities for backchannel logout functionality by adding additional debug logging while also improving security by redacting sensitive information from logs. The changes help developers identify specific failure points in the backchannel logout process while preventing accidental exposure of secrets.
- Added debug logging for missing logout tokens and JWT verification failures
- Redacted sensitive information (clientSecret and secret) from configuration debug logs
- Improved clarity of existing error logging messages
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| middleware/auth.js | Redacts clientSecret and secret values from configuration debug logs |
| lib/context.js | Adds debug logging for backchannel logout failures and improves existing error message clarity |
| @@ -22,7 +22,7 @@ const enforceLeadingSlash = (path) => { | |||
| */ | |||
| const auth = function (params) { | |||
| const config = getConfig(params); | |||
| debug('configuration object processed, resulting configuration: %O', config); | |||
| debug('configuration object processed, resulting configuration: %O', {...config, clientSecret: "REDACTED", secret: "REDACTED"}); | |||
There was a problem hiding this comment.
The spread operator approach may not handle nested objects containing sensitive data. Consider using a dedicated function to recursively redact sensitive fields or ensure no nested sensitive data exists in the config object.
| debug('configuration object processed, resulting configuration: %O', {...config, clientSecret: "REDACTED", secret: "REDACTED"}); | |
| const redactSensitiveFields = (obj, fieldsToRedact) => { | |
| if (obj && typeof obj === 'object') { | |
| return Object.keys(obj).reduce((acc, key) => { | |
| acc[key] = fieldsToRedact.includes(key) | |
| ? "REDACTED" | |
| : redactSensitiveFields(obj[key], fieldsToRedact); | |
| return acc; | |
| }, Array.isArray(obj) ? [] : {}); | |
| } | |
| return obj; | |
| }; | |
| const redactedConfig = redactSensitiveFields(config, ['clientSecret', 'secret']); | |
| debug('configuration object processed, resulting configuration: %O', redactedConfig); |
Copilot uses AI. Check for mistakes.
| @@ -424,6 +424,7 @@ class ResponseContext { | |||
| res.setHeader('cache-control', 'no-store'); | |||
| const logoutToken = req.body.logout_token; | |||
| if (!logoutToken) { | |||
| debug('req.oidc.backchannelLogout() failed due to missing logout token', req.body); | |||
There was a problem hiding this comment.
Logging the entire req.body could potentially expose sensitive information. Consider logging only non-sensitive fields or a sanitized version of the request body.
| debug('req.oidc.backchannelLogout() failed due to missing logout token', req.body); | |
| debug('req.oidc.backchannelLogout() failed due to missing logout token. logout_token present: %s', !!req.body.logout_token); |
Copilot uses AI. Check for mistakes.
…es + don't show clientSecret/secret in debug logs
By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.
Description
Extra logging to troubleshoot backchannel logout failing. In my case we were using a different version of jose in our app than the one used in this library (which uses openid-client), resulting in multiple class definitions of KeyStore being used resulting in the error "key must be an instance of a key instantiated by JWK.asKey, a valid JWK.asKey input, or a JWKS.KeyStore instance" being suppressed
No breaking changes, just logging changes
None
References
None
Testing
Existing test cases should cover this
If you want to test this, run through backchannel logout
Checklist