Add logging

[Budlee]

Expected Behavior

The Jwt Validators that are provided on the oauth jose package have no logging in them when they fail. It makes it hard when debugging to understand when a Jwt Token has failed and for what reason.
I'm not sure if this is on purpose for security reasons to not log the failure

Current Behavior

No loggin in the default JWT Validators

Context

This has slowed down debugging and understanding which validator has failed.
Debug messages when the logging is set to debug would be helpful.

To get an insight into what JWTs are failing have patched the validators and manually setup the JwtDecoder/ReactiveJwtDecoder.

They can not be extended as they are all Final so patching is the only option.

[jzheaux]

Thanks for raising this, @Budlee. We certainly want to ensure that there's enough logging available.

Before knowing what the right change is, let's get on the same page about what is missing. In Spring Security, each authentication filter logs failures at the DEBUG level, so you can do:

logging:
  level:
    org.springframework.security: DEBUG

and you'll see failure information, for example when a bearer token fails validation.

On the Servlet side, you'll see an exception like:

...
Caused by: com.nimbusds.jose.proc.BadJWSException: Signed JWT rejected: Invalid signature
	at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:405) ~[nimbus-jose-jwt-8.17.1.jar:8.17.1]
	at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:330) ~[nimbus-jose-jwt-8.17.1.jar:8.17.1]
	at org.springframework.security.oauth2.jwt.NimbusReactiveJwtDecoder.createClaimsSet(NimbusReactiveJwtDecoder.java:531) ~[spring-security-oauth2-jose-5.4.0-SNAPSHOT.jar:5.4.0-SNAPSHOT]
	... 63 common frames omitted

On the WebFlux side, you'll see a simple message:

Authentication failed: Failed to validate the token

I think things can be improved on the WebFlux side, and perhaps they can be improved on the Servlet side as well.

Can you elaborate on what information that you aren't able to get that you need?

[Budlee]

@jzheaux this is why i did not see it as I am using reactive for pretty much everything currently.

Would you accept a PR that adds more logging to the reactive implementation and are there any constaints?

[jzheaux]

Got it, makes sense.

a PR that adds more logging

You've come at the right time. :) Logging is something we're taking a look at generally for the 5.4 release. Some initial work on the reactive side was just merged.

Now, to set expectations, plenty may change in Spring Security's logging story between now and the release. But, I think one place that would probably give you quite a bit more than you have right now would be to log the full exception in AuthenticationWebFilter like is done on the servlet side. Currently, I think it only does "Authentication Failed: " + e.getMessage() or similar.

[Budlee]

@jzheaux i've added some additional debug messages for Jwt and the ReactiveAuth manager. Any suggestions