providers/oauth2: add additional tracing to token view

This commit is contained in:
Jens Langhammer 2022-04-14 16:45:26 +00:00
parent 8242b09394
commit 7561ea15de

View file

@ -8,6 +8,7 @@ from django.http import HttpRequest, HttpResponse
from django.utils.timezone import datetime, now from django.utils.timezone import datetime, now
from django.views import View from django.views import View
from jwt import InvalidTokenError, decode from jwt import InvalidTokenError, decode
from sentry_sdk.hub import Hub
from structlog.stdlib import get_logger from structlog.stdlib import get_logger
from authentik.core.models import ( from authentik.core.models import (
@ -94,6 +95,9 @@ class TokenParams:
) )
def __check_policy_access(self, app: Application, request: HttpRequest, **kwargs): def __check_policy_access(self, app: Application, request: HttpRequest, **kwargs):
with Hub.current.start_span(
op="authentik.providers.oauth2.token.policy",
):
engine = PolicyEngine(app, self.user, request) engine = PolicyEngine(app, self.user, request)
engine.request.context["oauth_scopes"] = self.scope engine.request.context["oauth_scopes"] = self.scope
engine.request.context["oauth_grant_type"] = self.grant_type engine.request.context["oauth_grant_type"] = self.grant_type
@ -118,10 +122,19 @@ class TokenParams:
raise TokenError("invalid_client") raise TokenError("invalid_client")
if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE: if self.grant_type == GRANT_TYPE_AUTHORIZATION_CODE:
with Hub.current.start_span(
op="authentik.providers.oauth2.post.parse.code",
):
self.__post_init_code(raw_code) self.__post_init_code(raw_code)
elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN: elif self.grant_type == GRANT_TYPE_REFRESH_TOKEN:
with Hub.current.start_span(
op="authentik.providers.oauth2.post.parse.refresh",
):
self.__post_init_refresh(raw_token, request) self.__post_init_refresh(raw_token, request)
elif self.grant_type in [GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD]: elif self.grant_type in [GRANT_TYPE_CLIENT_CREDENTIALS, GRANT_TYPE_PASSWORD]:
with Hub.current.start_span(
op="authentik.providers.oauth2.post.parse.client_credentials",
):
self.__post_init_client_credentials(request) self.__post_init_client_credentials(request)
else: else:
LOGGER.warning("Invalid grant type", grant_type=self.grant_type) LOGGER.warning("Invalid grant type", grant_type=self.grant_type)
@ -330,6 +343,9 @@ class TokenView(View):
def post(self, request: HttpRequest) -> HttpResponse: def post(self, request: HttpRequest) -> HttpResponse:
"""Generate tokens for clients""" """Generate tokens for clients"""
try: try:
with Hub.current.start_span(
op="authentik.providers.oauth2.post.parse",
):
client_id, client_secret = extract_client_auth(request) client_id, client_secret = extract_client_auth(request)
try: try:
self.provider = OAuth2Provider.objects.get(client_id=client_id) self.provider = OAuth2Provider.objects.get(client_id=client_id)
@ -341,6 +357,9 @@ class TokenView(View):
raise ValueError raise ValueError
self.params = TokenParams.parse(request, self.provider, client_id, client_secret) self.params = TokenParams.parse(request, self.provider, client_id, client_secret)
with Hub.current.start_span(
op="authentik.providers.oauth2.post.response",
):
if self.params.grant_type == GRANT_TYPE_AUTHORIZATION_CODE: if self.params.grant_type == GRANT_TYPE_AUTHORIZATION_CODE:
LOGGER.debug("Converting authorization code to refresh token") LOGGER.debug("Converting authorization code to refresh token")
return TokenResponse(self.create_code_response()) return TokenResponse(self.create_code_response())