Bug 58114 - Enhance log message why retrieving OIDC access token failed
Summary: Enhance log message why retrieving OIDC access token failed
Status: CLOSED FIXED
Alias: None
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
Version: UCS 5.2
Hardware: Other Linux
: P5 normal
Target Milestone: UCS 5.2-1-errata
Assignee: Florian Best
QA Contact: Johannes Lohmer
URL: https://git.knut.univention.de/univen...
Keywords:
Depends on:
Blocks:
 
Reported: 2025-03-25 08:04 CET by Florian Best
Modified: 2025-04-14 10:35 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2025-03-25 08:04:03 CET 
The error logging when retrieving access tokens from OIDC OPs fails should contain useful information.

Information from Ticket:
In `management/univention-management-console/src/univention/management/console/oidc.py:150` the line

```
CORE.error('Could not get access token: %s' % (exc.response.body,))
``` 
logs the body of HTTP errors. This log message is sufficient if a connection had been established, but in a customer environment only the following got logged: 
```
26.02.25 11:35:46.308  MAIN        ( ERROR   ) : Could not get access token: None
```
The `exc` caught is a HTTPClientError and we should think about printing the whole exception to the log in case `exc.response.body` is `None`. E.g.
```
CORE.error('Could not get access token: %s' % (exc.response.body if exc.response.body is not None else exc,))
```

This would make it better understandable why the access token could not be retrieved.
Comment 2 Florian Best univentionstaff 2025-03-25 09:08:57 CET 
feat(umc): enhance log message when retrieving OIDC access token failed
    
    Different reasons for errors:
    
When changing the host to any other reachable system:
    MAIN        ( ERROR   ) : Could not get access token: HTTP 599: SSL: certificate subject name (dns.quad9.net) does not match target host name 'ucs-sso-ng.ucs.test'

When changing the host to any other unreachable system:
    MAIN        ( ERROR   ) : Could not get access token: HTTP 599: Failed to connect to ucs-sso-ng.ucs.test port 443 after 3075 ms: Couldn't connect to server

When stopping keycloak:
    MAIN        ( ERROR   ) : Could not get access token: b'<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n<html><head>\n<title>503 Service Unavailable</title>\n</head><body>\n<h1>Service Unavailable</h1>\n<p>The server is temporaril>

Wrong URL configured:
    MAIN        ( ERROR   ) : Could not get access token: b'{"error":"Unable to find matching target resource method","error_description":"For more on this error consult the server log at the debug level."}'

No sensitive data is logged.

univention-management-console.yaml
249fc481a405 | feat(umc): enhance log message when retrieving OIDC access token failed

univention-management-console (14.0.46-1)
249fc481a405 | feat(umc): enhance log message when retrieving OIDC access token failed
Comment 3 Johannes Lohmer univentionstaff 2025-03-27 09:51:54 CET 
yaml ok
manually tested ok
code-review ok
debian package ok
Comment 4 Christian Castens univentionstaff 2025-04-02 14:09:59 CEST 
<https://errata.software-univention.de/#/?erratum=5.2x60>