search

coupergateway / couper

Couper is a lightweight API gateway designed to support developers in building and operating API-driven Web projects
https://couper.io
MIT License
84 stars 15 forks source link

`backend_response` not usable in OIDC token and userinfo requests #797

Open johakoch opened 7 months ago

johakoch commented 7 months ago

Describe the bug

The variable backend_response is not usable when custom-logging OIDC token and userinfo responses. However it can be used when custom-logging openid-configuration and JWKS responses.

To Reproduce Steps to reproduce the behavior:

  1. Which Couper version? Run couper version or docker run coupergateway/couper version
$ couper version
0 2024-02-01 dev
go version go1.20.6 linux/amd64
  1. Provide your configuration file *.hcl. Remove sensitive data.
server "oidc_client" {
  api "oidc_spa" {
    base_path = "/oidc/spa"

    endpoint "/start" {
      response {
        status = 302
        headers = {
          cache-control = "no-cache,no-store"
          location = oauth2_authorization_url("oidc_spa")
          set-cookie = "vf=${oauth2_verifier()};HttpOnly;Path=/oidc/spa/redir"
        }
      }
    }

    endpoint "/redir" {
      access_control = ["oidc_spa"]

      response {
        headers = {
          cache-control = "no-cache,no-store"
          set-cookie = "vf=;HttpOnly;Path=/oidc/spa/redir;Max-Age=0"
        }
        json_body = request.context.oidc_spa
      }
    }
  }
}

definitions {
  backend "idp" {
    origin = env.IDP_ORIGIN
    custom_log_fields = {
      br = backend_response.json_body
      foo = "bar"
    }
  }

  oidc "oidc_spa" {
    configuration_url = "/.well-known/openid-configuration"
    backend = "idp"
    client_id = env.OIDC_CLIENT_ID
    client_secret = OIDC_CLIENT_SECRET
    redirect_uri = "/oidc/spa/redir"
    verifier_value = request.cookies.vf
  }
}

  1. Provide a curl call for reproduction 3.1 You may use your browsers developer console and hit copy as curl.

  2. See an error response or error log.

INFO[0000] backend=idp build=dev custom="map[br:map[authorization_endpoint:...] foo:bar]" method=GET request="map[... name:oidc_spa ...]" ... status=200 ... type=couper_backend ... url=".../.well-known/openid-configuration" ...
...
INFO[0000] backend=idp build=dev custom="map[br:map[keys:[...] foo:bar]" method=GET request="map[... name:jwks ...]" ... status=200 ... type=couper_backend ... url=".../oauth/v2/keys" ...
...
INFO[0016] ... backend=idp build=dev custom="map[foo:bar]" method=POST request="map[... name:<nil> ... ] ... token_request=oauth2 type=couper_backend ... url=".../oauth/v2/token" ...
...
INFO[0017] backend=idp build=dev custom="map[foo:bar]" method=GET request="map[... name:<nil> ...]" ... status=200 ... type=couper_backend ... url=".../oidc/v1/userinfo" ...

Here you see in the log entries for the openid-configuration and the jwks requests, that, in addition to foo:bar, there is also the br entry representing the JSON response body. In the log entries for the token and userinfo requests only foo:bar is logged, no br entry.

And: the logged request name for token and userinfo requests is <nil>.

Expected behavior

I expect that the response received from the token and userinfo requests can also be custom-logged.

Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem here.