chore: Add OIDC debug logging (#4658)

Signed-off-by: Dan Webb <dan.webb@damacus.io>
2025-07-19 13:19:41 +02:00 · 2024-12-30 21:20:15 +00:00 · 2024-12-30 21:20:15 +00:00 · 716c5c1d87
commit 716c5c1d87
parent 5d33694bc6
2 changed files with 40 additions and 0 deletions
--- a/mealie/core/security/providers/openid_provider.py
+++ b/mealie/core/security/providers/openid_provider.py
@ -27,6 +27,11 @@ class OpenIDProvider(AuthProvider[UserInfo]):
            self._logger.error("[OIDC] No claims in the id_token")
            return None

+        # Log all claims for debugging
+        self._logger.debug("[OIDC] Received claims:")
+        for key, value in claims.items():
+            self._logger.debug("[OIDC]   %s: %s", key, value)
+
        if not self.required_claims.issubset(claims.keys()):
            self._logger.error(
                "[OIDC] Required claims not present. Expected: %s Actual: %s",
@ -35,6 +40,12 @@ class OpenIDProvider(AuthProvider[UserInfo]):
            )
            return None

+        # Check for empty required claims
+        for claim in self.required_claims:
+            if not claims.get(claim):
+                self._logger.error("[OIDC] Required claim '%s' is empty", claim)
+                return None
+
        repos = get_repositories(self.session, group_id=None, household_id=None)

        is_admin = False
--- a/tests/unit_tests/core/security/providers/test_openid_provider.py
+++ b/tests/unit_tests/core/security/providers/test_openid_provider.py
@ -1,5 +1,6 @@
 import pytest
 from pytest import MonkeyPatch, Session
+import logging

 from mealie.core.config import get_app_settings
 from mealie.core.security.providers.openid_provider import OpenIDProvider
@ -20,6 +21,18 @@ def test_empty_claims():
    assert auth_provider.authenticate() is None


+def test_empty_required_claims():
+    data = {
+        "preferred_username": "dude1",
+        "email": "",  # Empty required claim
+        "name": "Firstname Lastname",
+        "groups": ["mealie_user"],
+    }
+    auth_provider = OpenIDProvider(None, data)
+
+    assert auth_provider.authenticate() is None
+
+
 def test_missing_claims():
    data = {"preferred_username": "dude1"}
    auth_provider = OpenIDProvider(None, data)
@ -162,3 +175,19 @@ def test_ldap_user_creation_invalid_group_or_household(
        assert user is not None
    else:
        assert user is None
+
+
+def test_claims_logging(caplog, session: Session):
+    caplog.set_level(logging.DEBUG)
+    data = {
+        "preferred_username": "testuser",
+        "email": "test@example.com",
+        "name": "Test User",
+        "groups": ["mealie_user"],
+    }
+    auth_provider = OpenIDProvider(session, data)
+    auth_provider.authenticate()
+
+    # Verify that all claims are logged
+    for key, value in data.items():
+        assert f"{key}: {value}" in caplog.text