Improve jwt message with added reason

aklivity · Jun 3, 2024 · 187bd0e · 187bd0e
1 parent 656b19a
commit 187bd0e
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 11 deletions.
diff --git a/...guard-jwt/src/main/java/io/aklivity/zilla/runtime/guard/jwt/internal/JwtEventContext.java b/...guard-jwt/src/main/java/io/aklivity/zilla/runtime/guard/jwt/internal/JwtEventContext.java
@@ -52,13 +52,15 @@ public JwtEventContext(
     public void authorizationFailed(
         long traceId,
         long bindingId,
-        String identity)
+        String identity,
+        String reason)
     {
         JwtEventExFW extension = jwtEventExRW
             .wrap(extensionBuffer, 0, extensionBuffer.capacity())
             .authorizationFailed(e -> e
                 .typeId(AUTHORIZATION_FAILED.value())
                 .identity(identity)
+                .reason(reason)
             )
             .build();
         EventFW event = eventRW

diff --git a/...ard-jwt/src/main/java/io/aklivity/zilla/runtime/guard/jwt/internal/JwtEventFormatter.java b/...ard-jwt/src/main/java/io/aklivity/zilla/runtime/guard/jwt/internal/JwtEventFormatter.java
@@ -47,17 +47,20 @@ public String format(
         case AUTHORIZATION_FAILED:
         {
             JwtAuthorizationFailedExFW ex = extension.authorizationFailed();
-            result = String.format("No active session found for token identity (%s).", identity(ex.identity()));
+            result = String.format("JWT token authorization failed for identity (%s). %s",
+                    asString(ex.identity()),
+                    asString(ex.reason())
+            );
             break;
         }
         }
         return result;
     }
 
-    private static String identity(
-        StringFW identity)
+    private static String asString(
+            StringFW stringFW)
     {
-        int length = identity.length();
-        return length <= 0 ? "-" : identity.asString();
+        String s = stringFW.asString();
+        return s == null ? "" : s;
     }
 }
diff --git a/...guard-jwt/src/main/java/io/aklivity/zilla/runtime/guard/jwt/internal/JwtGuardHandler.java b/...guard-jwt/src/main/java/io/aklivity/zilla/runtime/guard/jwt/internal/JwtGuardHandler.java
@@ -128,6 +128,7 @@ public long reauthorize(
     {
         JwtSession session = null;
         String subject = null;
+        String reason = "";
 
         authorize:
         try
@@ -142,13 +143,15 @@ public long reauthorize(
                 key == null ||
                 !Objects.equals(alg, key.getAlgorithm()))
             {
+                reason = "Invalid alg or key.";
                 break authorize;
             }
 
             signature.setKey(null);
             signature.setKey(key.getKey());
             if (!signature.verifySignature())
             {
+                reason = "Unable to verify key signature.";
                 break authorize;
             }
 
@@ -162,10 +165,15 @@ public long reauthorize(
 
             long now = Instant.now().toEpochMilli();
             if (notBefore != null && now < notBefore.getValueInMillis() ||
-                notAfter != null && now > notAfter.getValueInMillis() ||
-                issuer == null || !issuer.equals(this.issuer) ||
+                notAfter != null && now > notAfter.getValueInMillis())
+            {
+                reason = "Token is expired.";
+                break authorize;
+            }
+            if (issuer == null || !issuer.equals(this.issuer) ||
                 audience == null || !audience.contains(this.audience))
             {
+                reason = "Invalid issuer or audience.";
                 break authorize;
             }
 
@@ -191,11 +199,11 @@ public long reauthorize(
         }
         catch (JoseException | InvalidJwtException | MalformedClaimException ex)
         {
-            // not authorized
+            reason = ex.getMessage();
         }
         if (session == null)
         {
-            event.authorizationFailed(traceId, bindingId, subject);
+            event.authorizationFailed(traceId, bindingId, subject, reason);
         }
         return session != null ? session.authorized : NOT_AUTHORIZED;
     }

diff --git a/specs/guard-jwt.spec/src/main/resources/META-INF/zilla/jwt.idl b/specs/guard-jwt.spec/src/main/resources/META-INF/zilla/jwt.idl
@@ -24,6 +24,7 @@ scope jwt
         struct JwtAuthorizationFailedEx extends core::stream::Extension
         {
             string8 identity;
+            string16 reason;
         }
 
         union JwtEventEx switch (JwtEventType)

diff --git a/specs/guard-jwt.spec/src/main/scripts/io/aklivity/zilla/specs/guard/jwt/config/event.yaml b/specs/guard-jwt.spec/src/main/scripts/io/aklivity/zilla/specs/guard/jwt/config/event.yaml
@@ -24,7 +24,7 @@ telemetry:
           - qname: test.net0
             id: guard.jwt.authorization.failed
             name: GUARD_JWT_AUTHORIZATION_FAILED
-            message: No active session found for token identity (user).
+            message: JWT token authorization failed for identity (user). Token is expired.
 guards:
   jwt0:
     type: jwt