argoproj · omerap12 · Nov 21, 2024 · Nov 22, 2024 · Nov 22, 2024 · Nov 22, 2024
@@ -43,6 +43,21 @@ const (
 	AccessTokenCachePrefix      = "access_token"
 )
 
+// Request Metadata for warning message
+type RequestMetadata struct {
+	ipAddr string
+}
+
+func (r *RequestMetadata) String() string {
+	return fmt.Sprintf("Client IP: %s", r.ipAddr)
+}
+
+func newRequestMetadata(r *http.Request) *RequestMetadata {
+	return &RequestMetadata{
+		ipAddr: r.RemoteAddr,
+	}
+}
+
 // OIDCConfiguration holds a subset of interested fields from the OIDC configuration spec
 type OIDCConfiguration struct {
 	Issuer                 string   `json:"issuer"`
@@ -149,13 +164,14 @@ func NewClientApp(settings *settings.ArgoCDSettings, dexServerAddr string, dexTl
 }
 
 func (a *ClientApp) oauth2Config(request *http.Request, scopes []string) (*oauth2.Config, error) {
+	rMetadata := newRequestMetadata(request)
 	endpoint, err := a.provider.Endpoint()
 	if err != nil {
 		return nil, err
 	}
 	redirectURL, err := a.settings.RedirectURLForRequest(request)
 	if err != nil {
-		log.Warnf("Unable to find ArgoCD URL from request, falling back to configured redirect URI: %v", err)
+		log.Warnf("Unable to find ArgoCD URL from request, falling back to configured redirect URI: %v. %s", err, rMetadata)
 		redirectURL = a.redirectURI
 	}
 	return &oauth2.Config{
@@ -197,6 +213,7 @@ func (a *ClientApp) generateAppState(returnURL string, w http.ResponseWriter) (s
 }
 
 func (a *ClientApp) verifyAppState(r *http.Request, w http.ResponseWriter, state string) (string, error) {
+	rMetadata := newRequestMetadata(r)
 	c, err := r.Cookie(common.StateCookieName)
 	if err != nil {
 		return "", err
@@ -219,7 +236,7 @@ func (a *ClientApp) verifyAppState(r *http.Request, w http.ResponseWriter, state
 			if len(sanitizedUrl) > 100 {
 				sanitizedUrl = sanitizedUrl[:100]
 			}
-			log.Warnf("Failed to verify app state - got invalid redirectURL %q", sanitizedUrl)
+			log.Warnf("Failed to verify app state - got invalid redirectURL %q. %s", sanitizedUrl, rMetadata)
 			return "", fmt.Errorf("failed to verify app state: %w", InvalidRedirectURLError)
 		}
 		redirectURL = parts[1]
@@ -338,6 +355,7 @@ func (a *ClientApp) HandleLogin(w http.ResponseWriter, r *http.Request) {
 
 // HandleCallback is the callback handler for an OAuth2 login flow
 func (a *ClientApp) HandleCallback(w http.ResponseWriter, r *http.Request) {
+	rMetadata := newRequestMetadata(r)
 	oauth2Config, err := a.oauth2Config(r, nil)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
@@ -375,7 +393,7 @@ func (a *ClientApp) HandleCallback(w http.ResponseWriter, r *http.Request) {
 
 	idToken, err := a.provider.Verify(idTokenRAW, a.settings)
 	if err != nil {
-		log.Warnf("Failed to verify token: %s", err)
+		log.Warnf("Failed to verify token: %s. %s", err, rMetadata)
 		http.Error(w, common.TokenVerificationError, http.StatusInternalServerError)
 		return
 	}

@@ -130,9 +130,6 @@ func (p *providerImpl) Verify(tokenString string, argoSettings *settings.ArgoCDS
 			if err == nil {
 				break
 			}
-			// We store the error for each audience so that we can return a more detailed error message to the user.
-			// If this gets merged, we'll be able to detect failures unrelated to audiences and short-circuit this loop
-			// to avoid logging irrelevant warnings: https://github.com/coreos/go-oidc/pull/406
 			tokenVerificationErrors[aud] = err
 		}
 		// If the most recent attempt encountered an error, and if we have collected multiple errors, switch to the