Bug #7325: Usefulness of error messages when API server's sso_app_id is not recognized by SSO server - Arvados

Actions

Copy link

Bug #7325

closed

Usefulness of error messages when API server's sso_app_id is not recognized by SSO server

Added by Joshua Randall over 10 years ago. Updated about 6 years ago.

Status:

Closed

Priority:

Normal

Assigned To:

Category:

Documentation

Target version:

Story points:

Description

We just tracked down an issue with our configuration in which we had:

sso_app_id: "arvados_server"

instead of:

sso_app_id: "arvados-server"

I.e. the SSO server has a client configured called "arvados-server" (as suggested in the SSO install docs) but not one called "arvados_server".

The most useful error message we could find that led us to eventually figure this out was in the nginx passenger logs:

App 55510 stdout: (joshid) Authentication failure! invalid_credentials: OAuth2::Error, Could not find application:
App 55510 stdout: {"error":"Could not find application"}

There are several issues with the quality of these error messages:

1. The way that passenger logs these errors, it is not clear who is speaking (is this the API server? is this the SSO server?). Perhaps these messages could be prefixed by an identifier of which passenger app is speaking, or alternatively this issue could be clearly logged in the arvados logs themselves?
2. The level of detail given in the error message "Could not find application: " is lacking

If it had instead said:

arvados-sso: Authentication failure! invalid_credentials: OAuth2::Error, Could not find application client id: "arvados_server"

Then we could have traced the typo down much more quickly.

It would also be nice if the production.log for both the API server and the SSO server would have noted this log, along with an informative message about what might be done to fix it from their perspective:

I.e. the API server might have said:

Authentication failure - the SSO server does not seem to recognize our client ID. Is sso_app_id set correctly? (sso_app_id: "arvados_server")

And the SSO server production.log could have said:

Authentication failure - an OAuth client presented an unrecognized client ID ("arvados_server"). If you wish to create a client ID/secret pair using this ID, you can do so via the console: 
$ RAILS_ENV=production bundle exec rails console
:001 > c = Client.new
:002 > c.name = "joshid" 
:003 > c.app_id = "arvados_server" 
:004 > c.app_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" 
:005 > c.save!
:006 > quit