Log WWW-Authenticate header on errors if present

[MarkRx]

What feature do you want to see added?

Some providers may put additional information in the WWW-Authenticate header when a request fails. This should get logged if present to make diagnosing errors easier.

Example:

Exception

WARNING: Caught unhandled exception with ID 0fe16c06-236a-42f3-93e9-caa2f96bccfe
java.lang.Exception: Token request failed: com.google.api.client.http.HttpResponseException: 401 Unauthorized
GET https://adfs.is.payxdev.com/adfs/userinfo/"
at org.kohsuke.stapler.HttpResponses.error(HttpResponses.java:92)
at org.jenkinsci.plugins.oic.OicSecurityRealm$3.onSuccess(OicSecurityRealm.java:957)
at org.jenkinsci.plugins.oic.OicSession.finishLogin(OicSession.java:218)
at org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1285)
at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)

Request:

GET https://adfs.website.com/adfs/userinfo/ HTTP/1.1
Accept-Encoding: gzip
Authorization: Bearer <...>
User-Agent: Google-HTTP-Java-Client/1.44.1 (gzip)
Host: adfs.website.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, /; q=.2
Connection: keep-alive

Response:

HTTP/1.1 401 Unauthorized
Content-Length: 0
Content-Type: text/html; charset=utf-8
Server: Microsoft-HTTPAPI/2.0
Strict-Transport-Security: max-age = 31536000
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:;
WWW-Authenticate: Bearer error="invalid_token", error_description="MSIS9921: Received invalid UserInfo request. Audience 'microsoft:identityserver:a8a9eaa2-ce5f-4e32-b637-5259e7ee7122' in the access token is not same as the identifier of the UserInfo relying party trust 'urn:microsoft:userinfo'."
Date: Thu, 16 May 2024 12:12:14 GMT

Upstream changes

No response

Are you interested in contributing this feature?

No response

[michael-doubez]

Good idea