Print OIDC token payload (#222)

Print the JSON payload for the OIDC token for the better debuggability regarding the WIP policy. Signed-off-by: Jiankun Lu <jiankun@google.com>
google · Jul 19, 2022 · 7296853 · 7296853
1 parent f2b7b10
commit 7296853
Showing 1 changed file with 12 additions and 1 deletion.
diff --git a/launcher/container_runner.go b/launcher/container_runner.go
@@ -349,6 +349,18 @@ func (r *ContainerRunner) refreshToken(ctx context.Context) (time.Duration, erro
 		return 0, fmt.Errorf("failed to write token to container mount source point: %v", err)
 	}
 
+	// Print out the claims in the jwt payload
+	mapClaims := jwt.MapClaims{}
+	_, _, err = jwt.NewParser().ParseUnverified(string(token), mapClaims)
+	if err != nil {
+		return 0, fmt.Errorf("failed to parse token: %w", err)
+	}
+	claimsString, err := json.MarshalIndent(mapClaims, "", "  ")
+	if err != nil {
+		return 0, fmt.Errorf("failed to format claims: %w", err)
+	}
+	r.logger.Println(string(claimsString))
+
 	return time.Duration(float64(time.Until(claims.ExpiresAt.Time)) * defaultRefreshMultiplier), nil
 }
 
@@ -357,7 +369,6 @@ func (r *ContainerRunner) fetchAndWriteToken(ctx context.Context) error {
 	if err := os.MkdirAll(HostTokenPath, 0744); err != nil {
 		return err
 	}
-
 	duration, err := r.refreshToken(ctx)
 	if err != nil {
 		return err