fix(openid): add subject_types_supported in well-known OIDC config

fix: add more debug logs
2025-06-24 18:47:28 +02:00 · 2025-06-24 18:46:01 +02:00
3 changed files with 8 additions and 4 deletions
--- a/lib/http_server/src/controllers/api/oauth2/access_token.rs
+++ b/lib/http_server/src/controllers/api/oauth2/access_token.rs
@ -1,7 +1,7 @@
 use axum::{extract::State, http::StatusCode, response::{Html, IntoResponse}, Extension, Form, Json};
 use chrono::{Duration, Utc};
 use fully_pub::fully_pub;
-use log::error;
+use log::{debug, error};
 use serde::{Deserialize, Serialize};

 use kernel::{models::authorization::Authorization, repositories::users::get_user_by_id};
@ -11,7 +11,7 @@ use crate::{

 const AUTHORIZATION_CODE_TTL_SECONDS: i64 = 120;

-#[derive(Serialize, Deserialize)]
+#[derive(Serialize, Deserialize, Debug)]
 #[fully_pub]
 struct AccessTokenRequestParams {
    grant_type: String,
@ -48,6 +48,7 @@ pub async fn get_access_token(
    let authorization = match authorizations_res {
        Ok(val) => val,
        Err(sqlx::Error::RowNotFound) => {
+            error!("Received invalid authorization_code.");
            return (
                StatusCode::BAD_REQUEST,
                Json("Invalid authorization_code.")
@ -68,12 +69,15 @@ pub async fn get_access_token(
            Utc::now().signed_duration_since(ts) < Duration::seconds(AUTHORIZATION_CODE_TTL_SECONDS)
        });
    if !is_code_valid {
+        debug!("Received expired authorization code");
        return (
            StatusCode::BAD_REQUEST,
            Json("Authorization code has expired.")
        ).into_response();
    }

+    debug!("Generating access_token and id_token.");
+
    // 2.3. Fetch user resource owner
    let user = get_user_by_id(&app_state.db, &authorization.user_id)
        .await
--- a/lib/http_server/src/controllers/api/openid/keys.rs
+++ b/lib/http_server/src/controllers/api/openid/keys.rs
@ -1,5 +1,3 @@
-use std::str::FromStr;
-
 use jsonwebkey_convert_repaired::RSAPublicKey;
 use jsonwebkey_convert_repaired::der::FromPem;

--- a/lib/http_server/src/controllers/api/openid/well_known.rs
+++ b/lib/http_server/src/controllers/api/openid/well_known.rs
@ -17,6 +17,7 @@ struct WellKnownOpenIdConfiguration {
    userinfo_endpoint: String,
    scopes_supported: Vec<String>,
    response_types_supported: Vec<String>,
+    subject_types_supported: Vec<String>,
    token_endpoint_auth_methods_supported: Vec<String>,
    id_token_signing_alg_values_supported: Vec<String>,
    jwks_uri: String
@ -33,6 +34,7 @@ pub async fn get_well_known_openid_configuration(
        userinfo_endpoint: format!("{}/api/user", base_url),
        scopes_supported: AuthorizationScope::iter().map(|v| v.to_string()).collect(),
        response_types_supported: vec!["code".into()],
+        subject_types_supported: vec!["public".into(), "pairwise".into()],
        token_endpoint_auth_methods_supported: vec!["client_secret_basic".into()],
        id_token_signing_alg_values_supported: vec!["RS256".into()],
        jwks_uri: format!("{}/.well-known/jwks", base_url)
Author	SHA1	Message	Date
Matthieu Bessat	905c57000a	fix(openid): add subject_types_supported in well-known OIDC config	2025-06-24 18:47:28 +02:00
Matthieu Bessat	18b33c00a7	fix: add more debug logs	2025-06-24 18:46:01 +02:00