Not enough log info when Keyclock rejects authorization
Bug #1737500 reported by
Renat Akhmerov
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mistral |
Fix Released
|
Medium
|
idan Narotzki |
Bug Description
When Keyclock rejects authorization to a Mistral endpoint the client receives "401 UNAUTHORIZED" without any additional details. We need to print all Keyclock response body when it happens to the log with DEBUG level so that we could investigate what happened.
Changed in mistral: | |
milestone: | none → queens-3 |
importance: | Undecided → Medium |
Changed in mistral: | |
milestone: | queens-3 → rocky-1 |
Changed in mistral: | |
status: | New → In Progress |
Changed in mistral: | |
assignee: | nobody → idan Narotzki (idanaroz) |
To post a comment you must log in.
Reviewed: https:/ /review. openstack. org/559661 /git.openstack. org/cgit/ openstack/ mistral/ commit/ ?id=1ece440ac5f 4b613385b446230 22421a60256bc7
Committed: https:/
Submitter: Zuul
Branch: master
commit 1ece440ac5f4b61 3385b4462302242 1a60256bc7
Author: Idan Narotzki <email address hidden>
Date: Mon Apr 9 08:37:55 2018 +0000
Adding WWW-Authenticate info.
Sometimes when mistral requests are failing with "401 Unauthorized"
against keycloak, the reason are not mentioned in the logs.
In case keycloack return 401 it must provide the www-Authenticate /www.w3. org/Protocols/ HTTP/1. 0/spec. html#WWW- Authenticate
response header with the reason:
https:/
This code take care of it by adding the WWW-Authenticate value to
mistral api-log.
Change-Id: I7ae221aaeb2233 184bd4818490e72 ff662dca5cb
Closes-Bug: #1737500