@flink-app/oidc-plugin 2.0.0-alpha.88 → 2.0.0-alpha.90

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (11) hide show
  1. package/CHANGELOG.md +17 -0
  2. package/dist/handlers/CallbackOidc.d.ts.map +1 -1
  3. package/dist/handlers/CallbackOidc.js +0 -4
  4. package/dist/providers/OidcProvider.d.ts.map +1 -1
  5. package/dist/providers/OidcProvider.js +26 -0
  6. package/dist/providers/ProviderRegistry.d.ts.map +1 -1
  7. package/dist/providers/ProviderRegistry.js +0 -2
  8. package/package.json +6 -6
  9. package/src/handlers/CallbackOidc.ts +0 -5
  10. package/src/providers/OidcProvider.ts +30 -0
  11. package/src/providers/ProviderRegistry.ts +0 -2
package/CHANGELOG.md CHANGED
@@ -1,5 +1,22 @@
1
1
  # @flink-app/oidc-plugin
2
2
 
3
+ ## 2.0.0-alpha.90
4
+
5
+ ### Patch Changes
6
+
7
+ - e18a37b: Add raw IdP response trace logs and prune redundant debug logs
8
+ - Updated dependencies [0d84b5f]
9
+ - @flink-app/flink@2.0.0-alpha.90
10
+ - @flink-app/jwt-auth-plugin@2.0.0-alpha.90
11
+
12
+ ## 2.0.0-alpha.89
13
+
14
+ ### Patch Changes
15
+
16
+ - Fix OIDC trace logs
17
+ - @flink-app/flink@2.0.0-alpha.89
18
+ - @flink-app/jwt-auth-plugin@2.0.0-alpha.89
19
+
3
20
  ## 2.0.0-alpha.88
4
21
 
5
22
  ### Patch Changes
package/dist/handlers/CallbackOidc.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"CallbackOidc.d.ts","sourceRoot":"","sources":["../../src/handlers/CallbackOidc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,UAAU,EAAc,UAAU,EAAwC,MAAM,kBAAkB,CAAC;AAC5G,OAAO,eAAe,MAAM,4BAA4B,CAAC;AAOzD;;GAEG;AACH,UAAU,UAAU;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;CACzB;AAED;;;GAGG;AACH,eAAO,MAAM,KAAK,EAAE,UAGnB,CAAC;AAEF;;;;;;GAMG;AACH,QAAA,MAAM,YAAY,EAAE,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,UAAU,EAAE,eAAe,CAiRnE,CAAC;AAEF,eAAe,YAAY,CAAC"}
1
+ {"version":3,"file":"CallbackOidc.d.ts","sourceRoot":"","sources":["../../src/handlers/CallbackOidc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,UAAU,EAAc,UAAU,EAAwC,MAAM,kBAAkB,CAAC;AAC5G,OAAO,eAAe,MAAM,4BAA4B,CAAC;AAOzD;;GAEG;AACH,UAAU,UAAU;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAAC;CACzB;AAED;;;GAGG;AACH,eAAO,MAAM,KAAK,EAAE,UAGnB,CAAC;AAEF;;;;;;GAMG;AACH,QAAA,MAAM,YAAY,EAAE,UAAU,CAAC,GAAG,EAAE,GAAG,EAAE,UAAU,EAAE,eAAe,CA4QnE,CAAC;AAEF,eAAe,YAAY,CAAC"}
package/dist/handlers/CallbackOidc.js CHANGED
@@ -114,7 +114,6 @@ const CallbackOidc = async ({ ctx, req }) => {
114
114
  }
115
115
  const oidcProvider = await providerRegistry.getProvider(provider);
116
116
  // Exchange authorization code for tokens with PKCE validation
117
- log_1.oidcLog.debug(`Callback: exchanging authorization code for tokens`);
118
117
  const tokenSet = await oidcProvider.exchangeCodeForToken({
119
118
  code,
120
119
  codeVerifier: session.codeVerifier,
@@ -123,11 +122,9 @@ const CallbackOidc = async ({ ctx, req }) => {
123
122
  });
124
123
  log_1.oidcLog.debug(`Callback: token exchange successful`, `sub="${tokenSet.claims.sub}"`, `iss="${tokenSet.claims.iss}"`, `email="${tokenSet.claims.email || "(none)"}"`, `hasRefreshToken=${!!tokenSet.refreshToken}`, `expiresIn=${tokenSet.expiresIn ?? "(none)"}s`);
125
124
  // Build user profile from ID token and UserInfo
126
- log_1.oidcLog.debug(`Callback: building user profile`);
127
125
  const profile = await oidcProvider.buildProfile(tokenSet, true);
128
126
  log_1.oidcLog.debug(`Callback: profile built id="${profile.id}" email="${profile.email || "(none)"}" name="${profile.name || "(none)"}"`);
129
127
  // Call onAuthSuccess callback to create/link user and generate JWT token
130
- log_1.oidcLog.debug(`Callback: calling onAuthSuccess`);
131
128
  const authSuccessParams = {
132
129
  profile,
133
130
  claims: tokenSet.claims,
@@ -164,7 +161,6 @@ const CallbackOidc = async ({ ctx, req }) => {
164
161
  }
165
162
  return (0, flink_1.internalServerError)("Authentication failed. Please try again.");
166
163
  }
167
- log_1.oidcLog.debug(`Callback: onAuthSuccess completed`);
168
164
  // Extract user and JWT token from callback result
169
165
  const { user, token, redirectUrl } = authResult;
170
166
  if (!token) {
package/dist/providers/OidcProvider.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"OidcProvider.d.ts","sourceRoot":"","sources":["../../src/providers/OidcProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAwD,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACvG,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,WAAW,MAAM,wBAAwB,CAAC;AACjD,OAAO,YAAY,MAAM,yBAAyB,CAAC;AAKnD;;;;;;;;;;GAUG;AACH,qBAAa,YAAY;IACrB,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,MAAM,CAA+B;IAC7C,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,WAAW,CAAkB;gBAEzB,MAAM,EAAE,kBAAkB;IAItC;;;;;;;OAOG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAkEjC;;;;;OAKG;IACG,mBAAmB,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAiB1G;;;;;;;OAOG;IACG,oBAAoB,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAqC/H;;;;;;;;OAQG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAajE;;;;;;;;;OASG;IACG,YAAY,CAAC,QAAQ,EAAE,YAAY,EAAE,eAAe,GAAE,OAAc,GAAG,OAAO,CAAC,WAAW,CAAC;IA8BjG;;;;OAIG;YACW,iBAAiB;IAU/B;;;;OAIG;IACH,iBAAiB,IAAI,GAAG;CAM3B"}
1
+ {"version":3,"file":"OidcProvider.d.ts","sourceRoot":"","sources":["../../src/providers/OidcProvider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAwD,gBAAgB,EAAE,MAAM,eAAe,CAAC;AACvG,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,WAAW,MAAM,wBAAwB,CAAC;AACjD,OAAO,YAAY,MAAM,yBAAyB,CAAC;AAKnD;;;;;;;;;;GAUG;AACH,qBAAa,YAAY;IACrB,OAAO,CAAC,MAAM,CAAqB;IACnC,OAAO,CAAC,MAAM,CAA+B;IAC7C,OAAO,CAAC,MAAM,CAAuB;IACrC,OAAO,CAAC,WAAW,CAAkB;gBAEzB,MAAM,EAAE,kBAAkB;IAItC;;;;;;;OAOG;IACG,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAsEjC;;;;;OAKG;IACG,mBAAmB,CAAC,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,MAAM,CAAC;IAiB1G;;;;;;;OAOG;IACG,oBAAoB,CAAC,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,YAAY,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,YAAY,CAAC;IAoD/H;;;;;;;;OAQG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAsBjE;;;;;;;;;OASG;IACG,YAAY,CAAC,QAAQ,EAAE,YAAY,EAAE,eAAe,GAAE,OAAc,GAAG,OAAO,CAAC,WAAW,CAAC;IAgCjG;;;;OAIG;YACW,iBAAiB;IAU/B;;;;OAIG;IACH,iBAAiB,IAAI,GAAG;CAM3B"}
package/dist/providers/OidcProvider.js CHANGED
@@ -41,6 +41,7 @@ class OidcProvider {
41
41
  log_1.oidcLog.debug(`Provider "${this.config.issuer}": discovering from ${this.config.discoveryUrl}`);
42
42
  this.issuer = await openid_client_1.Issuer.discover(this.config.discoveryUrl);
43
43
  log_1.oidcLog.debug(`Provider "${this.config.issuer}": discovery complete`, `authorization_endpoint=${this.issuer.metadata.authorization_endpoint}`, `token_endpoint=${this.issuer.metadata.token_endpoint}`, `userinfo_endpoint=${this.issuer.metadata.userinfo_endpoint ?? "(none)"}`, `jwks_uri=${this.issuer.metadata.jwks_uri}`);
44
+ log_1.oidcLog.trace(`Provider "${this.config.issuer}": raw discovery metadata from ${this.config.discoveryUrl}`, this.issuer.metadata);
44
45
  }
45
46
  // Option 2: Manual configuration
46
47
  else {
@@ -120,8 +121,13 @@ class OidcProvider {
120
121
  state: params.state,
121
122
  nonce: params.nonce,
122
123
  });
124
+ // Raw response from the token endpoint (includes access_token, id_token,
125
+ // refresh_token, token_type, expires_at, scope, and any non-standard fields
126
+ // returned by the IdP). Trace-level because it contains secrets.
127
+ log_1.oidcLog.trace(`Provider "${this.config.issuer}": raw token endpoint response`, { ...tokenSet });
123
128
  // Extract claims from ID token (already validated by openid-client)
124
129
  const claims = tokenSet.claims();
130
+ log_1.oidcLog.trace(`Provider "${this.config.issuer}": extracted claims from ID token`, claims);
125
131
  return {
126
132
  accessToken: tokenSet.access_token,
127
133
  idToken: tokenSet.id_token,
@@ -133,6 +139,15 @@ class OidcProvider {
133
139
  };
134
140
  }
135
141
  catch (error) {
142
+ // openid-client attaches the raw IdP error response on OPError.
143
+ log_1.oidcLog.trace(`Provider "${this.config.issuer}": raw token exchange error`, {
144
+ name: error.name,
145
+ message: error.message,
146
+ error: error.error,
147
+ error_description: error.error_description,
148
+ error_uri: error.error_uri,
149
+ response: error.response?.body ?? error.response,
150
+ });
136
151
  throw (0, error_utils_1.createOidcError)(error_utils_1.OidcErrorCodes.TOKEN_EXCHANGE_FAILED, `Token exchange failed: ${error.message}`, {
137
152
  originalError: error.message,
138
153
  errorCode: error.error,
@@ -152,9 +167,18 @@ class OidcProvider {
152
167
  await this.ensureInitialized();
153
168
  try {
154
169
  const userinfo = await this.client.userinfo(accessToken);
170
+ // Raw response from the UserInfo endpoint, before any mapping/merging.
171
+ log_1.oidcLog.trace(`Provider "${this.config.issuer}": raw UserInfo endpoint response`, userinfo);
155
172
  return userinfo;
156
173
  }
157
174
  catch (error) {
175
+ log_1.oidcLog.trace(`Provider "${this.config.issuer}": raw UserInfo error`, {
176
+ name: error.name,
177
+ message: error.message,
178
+ error: error.error,
179
+ error_description: error.error_description,
180
+ response: error.response?.body ?? error.response,
181
+ });
158
182
  throw (0, error_utils_1.createOidcError)(error_utils_1.OidcErrorCodes.USERINFO_FAILED, `UserInfo request failed: ${error.message}`, {
159
183
  originalError: error.message,
160
184
  });
@@ -190,9 +214,11 @@ class OidcProvider {
190
214
  if (this.config.claimMapping) {
191
215
  const customClaims = (0, claims_mapper_1.extractCustomClaims)(claims, this.config.claimMapping);
192
216
  claims = { ...claims, ...customClaims };
217
+ log_1.oidcLog.trace(`Provider "${this.config.issuer}": applied custom claim mapping`, claims);
193
218
  }
194
219
  // Map to normalized profile
195
220
  const profile = (0, claims_mapper_1.mapClaimsToProfile)(claims);
221
+ log_1.oidcLog.trace(`Provider "${this.config.issuer}": built final profile`, profile);
196
222
  return profile;
197
223
  }
198
224
  /**
package/dist/providers/ProviderRegistry.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"ProviderRegistry.d.ts","sourceRoot":"","sources":["../../src/providers/ProviderRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAI3D;;;;;;;;GAQG;AACH,qBAAa,gBAAgB;IACzB,OAAO,CAAC,eAAe,CAAqC;IAC5D,OAAO,CAAC,iBAAiB,CAAwC;IACjE,OAAO,CAAC,cAAc,CAAC,CAAyE;IAChG,OAAO,CAAC,GAAG,CAAM;gBAGb,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,EACnD,cAAc,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,EACvF,GAAG,CAAC,EAAE,GAAG;IAOb;;;;;;;;;;;;;OAaG;IACG,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IAiD9D;;;;;OAKG;IACH,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI1C;;;;;;;OAOG;IACH,UAAU,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI;IAQvC;;;;OAIG;IACH,gBAAgB,IAAI,MAAM,EAAE;CAG/B"}
1
+ {"version":3,"file":"ProviderRegistry.d.ts","sourceRoot":"","sources":["../../src/providers/ProviderRegistry.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAI3D;;;;;;;;GAQG;AACH,qBAAa,gBAAgB;IACzB,OAAO,CAAC,eAAe,CAAqC;IAC5D,OAAO,CAAC,iBAAiB,CAAwC;IACjE,OAAO,CAAC,cAAc,CAAC,CAAyE;IAChG,OAAO,CAAC,GAAG,CAAM;gBAGb,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,kBAAkB,CAAC,EACnD,cAAc,CAAC,EAAE,CAAC,YAAY,EAAE,MAAM,EAAE,GAAG,EAAE,GAAG,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,EACvF,GAAG,CAAC,EAAE,GAAG;IAOb;;;;;;;;;;;;;OAaG;IACG,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC;IA+C9D;;;;;OAKG;IACH,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO;IAI1C;;;;;;;OAOG;IACH,UAAU,CAAC,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI;IAQvC;;;;OAIG;IACH,gBAAgB,IAAI,MAAM,EAAE;CAG/B"}
package/dist/providers/ProviderRegistry.js CHANGED
@@ -59,10 +59,8 @@ class ProviderRegistry {
59
59
  }
60
60
  log_1.oidcLog.debug(`Provider "${providerName}" resolved via ${configSource}:`, `issuer=${config.issuer}`, `clientId=${config.clientId}`, `clientSecret=${(0, log_1.maskSecret)(config.clientSecret)}`, `callbackUrl=${config.callbackUrl}`, config.discoveryUrl ? `discoveryUrl=${config.discoveryUrl}` : `authorizationEndpoint=${config.authorizationEndpoint}`, `scope=${(config.scope || ["openid", "email", "profile"]).join(" ")}`);
61
61
  // Create and initialize provider
62
- log_1.oidcLog.debug(`Provider "${providerName}": initializing OIDC client`);
63
62
  const provider = new OidcProvider_1.OidcProvider(config);
64
63
  await provider.initialize();
65
- log_1.oidcLog.debug(`Provider "${providerName}": initialized successfully`);
66
64
  // Cache the instance
67
65
  this.providerInstances.set(providerName, provider);
68
66
  return provider;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@flink-app/oidc-plugin",
3
- "version": "2.0.0-alpha.88",
3
+ "version": "2.0.0-alpha.90",
4
4
  "description": "Flink plugin for OIDC authentication with generic IdP support",
5
5
  "author": "joel@frost.se",
6
6
  "license": "MIT",
@@ -11,10 +11,10 @@
11
11
  },
12
12
  "dependencies": {
13
13
  "openid-client": "^5.7.0",
14
- "@flink-app/jwt-auth-plugin": "2.0.0-alpha.88"
14
+ "@flink-app/jwt-auth-plugin": "2.0.0-alpha.90"
15
15
  },
16
16
  "peerDependencies": {
17
- "@flink-app/flink": ">=2.0.0-alpha.88",
17
+ "@flink-app/flink": ">=2.0.0-alpha.90",
18
18
  "mongodb": "^6.15.0"
19
19
  },
20
20
  "peerDependenciesMeta": {
@@ -27,9 +27,9 @@
27
27
  "@types/node": "22.13.10",
28
28
  "ts-node": "^10.9.2",
29
29
  "tsc-watch": "^4.2.9",
30
- "@flink-app/flink": "2.0.0-alpha.88",
31
- "@flink-app/test-utils": "2.0.0-alpha.88",
32
- "@flink-app/jwt-auth-plugin": "2.0.0-alpha.88"
30
+ "@flink-app/flink": "2.0.0-alpha.90",
31
+ "@flink-app/jwt-auth-plugin": "2.0.0-alpha.90",
32
+ "@flink-app/test-utils": "2.0.0-alpha.90"
33
33
  },
34
34
  "scripts": {
35
35
  "test": "jasmine-ts --config=./spec/support/jasmine.json",
package/src/handlers/CallbackOidc.ts CHANGED
@@ -142,7 +142,6 @@ const CallbackOidc: GetHandler<any, any, PathParams, CallbackRequest> = async ({
142
142
  const oidcProvider = await providerRegistry.getProvider(provider);
143
143
 
144
144
  // Exchange authorization code for tokens with PKCE validation
145
- oidcLog.debug(`Callback: exchanging authorization code for tokens`);
146
145
  const tokenSet = await oidcProvider.exchangeCodeForToken({
147
146
  code,
148
147
  codeVerifier: session.codeVerifier,
@@ -160,12 +159,10 @@ const CallbackOidc: GetHandler<any, any, PathParams, CallbackRequest> = async ({
160
159
  );
161
160
 
162
161
  // Build user profile from ID token and UserInfo
163
- oidcLog.debug(`Callback: building user profile`);
164
162
  const profile = await oidcProvider.buildProfile(tokenSet, true);
165
163
  oidcLog.debug(`Callback: profile built id="${profile.id}" email="${profile.email || "(none)"}" name="${profile.name || "(none)"}"`);
166
164
 
167
165
  // Call onAuthSuccess callback to create/link user and generate JWT token
168
- oidcLog.debug(`Callback: calling onAuthSuccess`);
169
166
  const authSuccessParams = {
170
167
  profile,
171
168
  claims: tokenSet.claims,
@@ -207,8 +204,6 @@ const CallbackOidc: GetHandler<any, any, PathParams, CallbackRequest> = async ({
207
204
  return internalServerError("Authentication failed. Please try again.");
208
205
  }
209
206
 
210
- oidcLog.debug(`Callback: onAuthSuccess completed`);
211
-
212
207
  // Extract user and JWT token from callback result
213
208
  const { user, token, redirectUrl } = authResult;
214
209
 
package/src/providers/OidcProvider.ts CHANGED
@@ -52,6 +52,10 @@ export class OidcProvider {
52
52
  `userinfo_endpoint=${this.issuer.metadata.userinfo_endpoint ?? "(none)"}`,
53
53
  `jwks_uri=${this.issuer.metadata.jwks_uri}`
54
54
  );
55
+ oidcLog.trace(
56
+ `Provider "${this.config.issuer}": raw discovery metadata from ${this.config.discoveryUrl}`,
57
+ this.issuer.metadata
58
+ );
55
59
  }
56
60
  // Option 2: Manual configuration
57
61
  else {
@@ -149,8 +153,14 @@ export class OidcProvider {
149
153
  }
150
154
  );
151
155
 
156
+ // Raw response from the token endpoint (includes access_token, id_token,
157
+ // refresh_token, token_type, expires_at, scope, and any non-standard fields
158
+ // returned by the IdP). Trace-level because it contains secrets.
159
+ oidcLog.trace(`Provider "${this.config.issuer}": raw token endpoint response`, { ...tokenSet });
160
+
152
161
  // Extract claims from ID token (already validated by openid-client)
153
162
  const claims = tokenSet.claims();
163
+ oidcLog.trace(`Provider "${this.config.issuer}": extracted claims from ID token`, claims);
154
164
 
155
165
  return {
156
166
  accessToken: tokenSet.access_token!,
@@ -162,6 +172,15 @@ export class OidcProvider {
162
172
  claims,
163
173
  };
164
174
  } catch (error: any) {
175
+ // openid-client attaches the raw IdP error response on OPError.
176
+ oidcLog.trace(`Provider "${this.config.issuer}": raw token exchange error`, {
177
+ name: error.name,
178
+ message: error.message,
179
+ error: error.error,
180
+ error_description: error.error_description,
181
+ error_uri: error.error_uri,
182
+ response: error.response?.body ?? error.response,
183
+ });
165
184
  throw createOidcError(OidcErrorCodes.TOKEN_EXCHANGE_FAILED, `Token exchange failed: ${error.message}`, {
166
185
  originalError: error.message,
167
186
  errorCode: error.error,
@@ -183,8 +202,17 @@ export class OidcProvider {
183
202
 
184
203
  try {
185
204
  const userinfo = await this.client!.userinfo(accessToken);
205
+ // Raw response from the UserInfo endpoint, before any mapping/merging.
206
+ oidcLog.trace(`Provider "${this.config.issuer}": raw UserInfo endpoint response`, userinfo);
186
207
  return userinfo;
187
208
  } catch (error: any) {
209
+ oidcLog.trace(`Provider "${this.config.issuer}": raw UserInfo error`, {
210
+ name: error.name,
211
+ message: error.message,
212
+ error: error.error,
213
+ error_description: error.error_description,
214
+ response: error.response?.body ?? error.response,
215
+ });
188
216
  throw createOidcError(OidcErrorCodes.USERINFO_FAILED, `UserInfo request failed: ${error.message}`, {
189
217
  originalError: error.message,
190
218
  });
@@ -223,10 +251,12 @@ export class OidcProvider {
223
251
  if (this.config.claimMapping) {
224
252
  const customClaims = extractCustomClaims(claims, this.config.claimMapping);
225
253
  claims = { ...claims, ...customClaims };
254
+ oidcLog.trace(`Provider "${this.config.issuer}": applied custom claim mapping`, claims);
226
255
  }
227
256
 
228
257
  // Map to normalized profile
229
258
  const profile = mapClaimsToProfile(claims);
259
+ oidcLog.trace(`Provider "${this.config.issuer}": built final profile`, profile);
230
260
 
231
261
  return profile;
232
262
  }
package/src/providers/ProviderRegistry.ts CHANGED
@@ -80,10 +80,8 @@ export class ProviderRegistry {
80
80
  );
81
81
 
82
82
  // Create and initialize provider
83
- oidcLog.debug(`Provider "${providerName}": initializing OIDC client`);
84
83
  const provider = new OidcProvider(config);
85
84
  await provider.initialize();
86
- oidcLog.debug(`Provider "${providerName}": initialized successfully`);
87
85
 
88
86
  // Cache the instance
89
87
  this.providerInstances.set(providerName, provider);