Troubleshooting
This page contains troubleshooting tips for the Magnolia SSO module.
Unable to log in with an SSO/OpenID setup
Starting with Magnolia 6.2.10, in your Tomcat configuration, make sure that the CookieProcessor
component
does not have the sameSiteCookies
property set to strict
. Instead, set the property to Lax
:
<CookieProcessor sameSiteCookies="Lax" />
This supports OpenID top-level redirects while maintaining decent protection against cross-site request forgery (CSRF).
Before Magnolia 6.2.10, Lax
was only supported in setups that do not use HTTPS behind a proxy (MAGNOLIA-8112).
If that is your case, delete the following line from your Tomcat configuration to make sure that CookieProcessor
is not defined:
<CookieProcessor sameSiteCookies="…" />
This approach is less optimal in that there is risk that the effective policy is decided by more recent versions of the browsers themselves, which may lead to unexpected issues.
Turn on DEBUG
logs
When facing authentication or configuration issues with the SSO module, it may be helpful to turn on your DEBUG
logs. Pac4j logs in particular are highly informative regarding request handling, redirects, and validating credentials.
Instructions
-
Add the following loggers to your
log4j2.xml
configuration file:log4j2.xml<Logger name="org.pac4j" level="DEBUG"/> <Logger name="info.magnolia.sso" level="DEBUG"/>
Sample output
Here is a partial sample output for a login attempt, against a mock OIDC server. Note the various stages of the OIDC authorization code flow such as redirect and callback handling.
pac4j-debug-logs.txt
[DEBUG] org.pac4j.core.engine.DefaultSecurityLogic : === SECURITY ===
[DEBUG] org.pac4j.core.engine.DefaultSecurityLogic : url: http://localhost:8080/.magnolia/admincentral
[DEBUG] org.pac4j.core.engine.DefaultSecurityLogic : clients: OidcClient,DirectBearerAuthClient | matchers: start-sso-flow
[DEBUG] c4j.core.client.finder.DefaultSecurityClientFinder: Provided clientNames: OidcClient,DirectBearerAuthClient
[DEBUG] c4j.core.client.finder.DefaultSecurityClientFinder: clientNameOnRequest: Optional.empty
[DEBUG] org.pac4j.core.client.Clients : Found client: #OidcClient# | name: OidcClient | callbackUrl: http://localhost:8080/.auth | callbackUrlResolver: org.pac4j.core.http.callback.NoParameterCallbackUrlResolver@4b68fcea | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f9f0acb | redirectionActionBuilder: org.pac4j.oidc.redirect.OidcRedirectionActionBuilder@126da69f | credentialsExtractor: org.pac4j.oidc.credentials.extractor.OidcExtractor@479c141a | authenticator: org.pac4j.oidc.credentials.authenticator.OidcAuthenticator@43ab19a7 | profileCreator: org.pac4j.oidc.profile.creator.OidcProfileCreator@4a58a4b | logoutActionBuilder: org.pac4j.oidc.logout.OidcLogoutActionBuilder@7b839d1e | authorizationGenerators: [info.magnolia.sso.oidc.GroupsAuthorizationGenerator@49e56b9b] | configuration: #OidcConfiguration# | clientId: my-client | secret: [protected] | discoveryURI: http://localhost:9090/.well-known/openid-configuration | scope: openid profile email | customParams: {} | clientAuthenticationMethod: null | useNonce: false | preferredJwsAlgorithm: RS256 | maxAge: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@5c987ab0 | responseType: code | responseMode: null | logoutUrl: null | withState: true | stateGenerator: org.pac4j.core.util.generator.RandomValueGenerator@431f79e4 | logoutHandler: #DefaultLogoutHandler# | store: #GuavaStore# | size: 10000 | timeout: 30 | timeUnit: MINUTES | | destroySession: false | | tokenValidator: org.pac4j.oidc.profile.creator.TokenValidator@3d0a61f1 | mappedClaims: {} | allowUnsignedIdTokens: false | SSLFactory: null | | for name: OidcClient
[DEBUG] org.pac4j.core.client.Clients : Found client: #DirectBearerAuthClient# | name: DirectBearerAuthClient | credentialsExtractor: org.pac4j.core.credentials.extractor.BearerAuthExtractor@47e526a5 | authenticator: info.magnolia.sso.authenticator.TokenIntrospectionAuthenticator@4f1c42c1 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@5d1b00c4 | authorizationGenerators: [info.magnolia.sso.oidc.FixedRoleAuthorizationGenerator@68591e1d] | realmName: authentication required | for name: DirectBearerAuthClient
[DEBUG] c4j.core.client.finder.DefaultSecurityClientFinder: result: [OidcClient, DirectBearerAuthClient]
[DEBUG] org.pac4j.core.engine.DefaultSecurityLogic : currentClients: [#OidcClient# | name: OidcClient | callbackUrl: http://localhost:8080/.auth | callbackUrlResolver: org.pac4j.core.http.callback.NoParameterCallbackUrlResolver@4b68fcea | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f9f0acb | redirectionActionBuilder: org.pac4j.oidc.redirect.OidcRedirectionActionBuilder@126da69f | credentialsExtractor: org.pac4j.oidc.credentials.extractor.OidcExtractor@479c141a | authenticator: org.pac4j.oidc.credentials.authenticator.OidcAuthenticator@43ab19a7 | profileCreator: org.pac4j.oidc.profile.creator.OidcProfileCreator@4a58a4b | logoutActionBuilder: org.pac4j.oidc.logout.OidcLogoutActionBuilder@7b839d1e | authorizationGenerators: [info.magnolia.sso.oidc.GroupsAuthorizationGenerator@49e56b9b] | configuration: #OidcConfiguration# | clientId: my-client | secret: [protected] | discoveryURI: http://localhost:9090/.well-known/openid-configuration | scope: openid profile email | customParams: {} | clientAuthenticationMethod: null | useNonce: false | preferredJwsAlgorithm: RS256 | maxAge: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@5c987ab0 | responseType: code | responseMode: null | logoutUrl: null | withState: true | stateGenerator: org.pac4j.core.util.generator.RandomValueGenerator@431f79e4 | logoutHandler: #DefaultLogoutHandler# | store: #GuavaStore# | size: 10000 | timeout: 30 | timeUnit: MINUTES | | destroySession: false | | tokenValidator: org.pac4j.oidc.profile.creator.TokenValidator@3d0a61f1 | mappedClaims: {} | allowUnsignedIdTokens: false | SSLFactory: null | |, #DirectBearerAuthClient# | name: DirectBearerAuthClient | credentialsExtractor: org.pac4j.core.credentials.extractor.BearerAuthExtractor@47e526a5 | authenticator: info.magnolia.sso.authenticator.TokenIntrospectionAuthenticator@4f1c42c1 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@5d1b00c4 | authorizationGenerators: [info.magnolia.sso.oidc.FixedRoleAuthorizationGenerator@68591e1d] | realmName: authentication required |]
[DEBUG] agnolia.sso.pac4j.AuthenticationServicePathMatcher: Sec-Fetch-Mode: navigate
[DEBUG] agnolia.sso.pac4j.AuthenticationServicePathMatcher: /.magnolia/admincentral starts with /.magnolia/admincentral
[DEBUG] pac4j.core.matching.checker.DefaultMatchingChecker: Checking matcher: info.magnolia.sso.pac4j.AnyMatcher@6bbc61bc -> true
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@7a6b79a5
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : Get value: null for key: pac4jUserProfiles
[DEBUG] org.pac4j.core.engine.DefaultSecurityLogic : Loaded profiles (from session: true): []
[DEBUG] org.pac4j.core.engine.DefaultSecurityLogic : Performing authentication for direct client: #DirectBearerAuthClient# | name: DirectBearerAuthClient | credentialsExtractor: org.pac4j.core.credentials.extractor.BearerAuthExtractor@47e526a5 | authenticator: info.magnolia.sso.authenticator.TokenIntrospectionAuthenticator@4f1c42c1 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@5d1b00c4 | authorizationGenerators: [info.magnolia.sso.oidc.FixedRoleAuthorizationGenerator@68591e1d] | realmName: authentication required |
[DEBUG] org.pac4j.core.engine.DefaultSecurityLogic : credentials: Optional.empty
[DEBUG] org.pac4j.core.engine.DefaultSecurityLogic : Starting authentication
[DEBUG] ore.engine.savedrequest.DefaultSavedRequestHandler: requestedUrl: http://localhost:8080/.magnolia/admincentral
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@7a6b79a5
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : Set key: pac4jRequestedUrl for value: http://localhost:8080/.magnolia/admincentral
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@7a6b79a5
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : Get value: null for key: OidcClient$attemptedAuthentication
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@7a6b79a5
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : Set key: OidcClient$stateSessionParameter for value: 303fa1a5ec
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : createSession: true, retrieved session: org.apache.catalina.session.StandardSessionFacade@7a6b79a5
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : Set key: OidcClient$codeVerifierSessionParameter for value: com.nimbusds.oauth2.sdk.pkce.CodeVerifier@d868d683
[DEBUG] g.pac4j.oidc.redirect.OidcRedirectionActionBuilder: Authentication request url: http://localhost:9090/auth?scope=openid+profile+email&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F.auth&state=303fa1a5ec&code_challenge_method=S256&client_id=my-client&code_challenge=Ot3OBYNNRwTc1NIT8qv3CRknICBCnUZt_obq8DMgH-M
[DEBUG] org.pac4j.core.engine.DefaultSecurityLogic : === SECURITY ===
[DEBUG] org.pac4j.core.engine.DefaultSecurityLogic : url: http://localhost:8080/.auth?code=8fyXB8oY_gTflXh1i3iJ4WnSt5cwmwLlnWPbX5AKCst&state=303fa1a5ec
[DEBUG] org.pac4j.core.engine.DefaultSecurityLogic : clients: OidcClient,DirectBearerAuthClient | matchers: start-sso-flow
[DEBUG] c4j.core.client.finder.DefaultSecurityClientFinder: Provided clientNames: OidcClient,DirectBearerAuthClient
[DEBUG] c4j.core.client.finder.DefaultSecurityClientFinder: clientNameOnRequest: Optional.empty
[DEBUG] org.pac4j.core.client.Clients : Found client: #OidcClient# | name: OidcClient | callbackUrl: http://localhost:8080/.auth | callbackUrlResolver: org.pac4j.core.http.callback.NoParameterCallbackUrlResolver@4b68fcea | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f9f0acb | redirectionActionBuilder: org.pac4j.oidc.redirect.OidcRedirectionActionBuilder@126da69f | credentialsExtractor: org.pac4j.oidc.credentials.extractor.OidcExtractor@479c141a | authenticator: org.pac4j.oidc.credentials.authenticator.OidcAuthenticator@43ab19a7 | profileCreator: org.pac4j.oidc.profile.creator.OidcProfileCreator@4a58a4b | logoutActionBuilder: org.pac4j.oidc.logout.OidcLogoutActionBuilder@7b839d1e | authorizationGenerators: [info.magnolia.sso.oidc.GroupsAuthorizationGenerator@49e56b9b] | configuration: #OidcConfiguration# | clientId: my-client | secret: [protected] | discoveryURI: http://localhost:9090/.well-known/openid-configuration | scope: openid profile email | customParams: {} | clientAuthenticationMethod: null | useNonce: false | preferredJwsAlgorithm: RS256 | maxAge: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@5c987ab0 | responseType: code | responseMode: null | logoutUrl: null | withState: true | stateGenerator: org.pac4j.core.util.generator.RandomValueGenerator@431f79e4 | logoutHandler: #DefaultLogoutHandler# | store: #GuavaStore# | size: 10000 | timeout: 30 | timeUnit: MINUTES | | destroySession: false | | tokenValidator: org.pac4j.oidc.profile.creator.TokenValidator@3d0a61f1 | mappedClaims: {} | allowUnsignedIdTokens: false | SSLFactory: null | | for name: OidcClient
[DEBUG] org.pac4j.core.client.Clients : Found client: #DirectBearerAuthClient# | name: DirectBearerAuthClient | credentialsExtractor: org.pac4j.core.credentials.extractor.BearerAuthExtractor@47e526a5 | authenticator: info.magnolia.sso.authenticator.TokenIntrospectionAuthenticator@4f1c42c1 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@5d1b00c4 | authorizationGenerators: [info.magnolia.sso.oidc.FixedRoleAuthorizationGenerator@68591e1d] | realmName: authentication required | for name: DirectBearerAuthClient
[DEBUG] c4j.core.client.finder.DefaultSecurityClientFinder: result: [OidcClient, DirectBearerAuthClient]
[DEBUG] org.pac4j.core.engine.DefaultSecurityLogic : currentClients: [#OidcClient# | name: OidcClient | callbackUrl: http://localhost:8080/.auth | callbackUrlResolver: org.pac4j.core.http.callback.NoParameterCallbackUrlResolver@4b68fcea | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f9f0acb | redirectionActionBuilder: org.pac4j.oidc.redirect.OidcRedirectionActionBuilder@126da69f | credentialsExtractor: org.pac4j.oidc.credentials.extractor.OidcExtractor@479c141a | authenticator: org.pac4j.oidc.credentials.authenticator.OidcAuthenticator@43ab19a7 | profileCreator: org.pac4j.oidc.profile.creator.OidcProfileCreator@4a58a4b | logoutActionBuilder: org.pac4j.oidc.logout.OidcLogoutActionBuilder@7b839d1e | authorizationGenerators: [info.magnolia.sso.oidc.GroupsAuthorizationGenerator@49e56b9b] | configuration: #OidcConfiguration# | clientId: my-client | secret: [protected] | discoveryURI: http://localhost:9090/.well-known/openid-configuration | scope: openid profile email | customParams: {} | clientAuthenticationMethod: null | useNonce: false | preferredJwsAlgorithm: RS256 | maxAge: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@5c987ab0 | responseType: code | responseMode: null | logoutUrl: null | withState: true | stateGenerator: org.pac4j.core.util.generator.RandomValueGenerator@431f79e4 | logoutHandler: #DefaultLogoutHandler# | store: #GuavaStore# | size: 10000 | timeout: 30 | timeUnit: MINUTES | | destroySession: false | | tokenValidator: org.pac4j.oidc.profile.creator.TokenValidator@3d0a61f1 | mappedClaims: {} | allowUnsignedIdTokens: false | SSLFactory: null | |, #DirectBearerAuthClient# | name: DirectBearerAuthClient | credentialsExtractor: org.pac4j.core.credentials.extractor.BearerAuthExtractor@47e526a5 | authenticator: info.magnolia.sso.authenticator.TokenIntrospectionAuthenticator@4f1c42c1 | profileCreator: org.pac4j.core.profile.creator.AuthenticatorProfileCreator@5d1b00c4 | authorizationGenerators: [info.magnolia.sso.oidc.FixedRoleAuthorizationGenerator@68591e1d] | realmName: authentication required |]
[DEBUG] agnolia.sso.pac4j.AuthenticationServicePathMatcher: Sec-Fetch-Mode: navigate
[DEBUG] pac4j.core.matching.checker.DefaultMatchingChecker: Checking matcher: info.magnolia.sso.pac4j.AnyMatcher@6bbc61bc -> false
[DEBUG] org.pac4j.core.engine.DefaultSecurityLogic : no matching for this request -> grant access
[DEBUG] org.pac4j.core.engine.DefaultCallbackLogic : === CALLBACK ===
[DEBUG] c4j.core.client.finder.DefaultCallbackClientFinder: result: []
[DEBUG] c4j.core.client.finder.DefaultCallbackClientFinder: Defaulting to the only client: #OidcClient# | name: OidcClient | callbackUrl: http://localhost:8080/.auth | callbackUrlResolver: org.pac4j.core.http.callback.NoParameterCallbackUrlResolver@4b68fcea | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f9f0acb | redirectionActionBuilder: org.pac4j.oidc.redirect.OidcRedirectionActionBuilder@126da69f | credentialsExtractor: org.pac4j.oidc.credentials.extractor.OidcExtractor@479c141a | authenticator: org.pac4j.oidc.credentials.authenticator.OidcAuthenticator@43ab19a7 | profileCreator: org.pac4j.oidc.profile.creator.OidcProfileCreator@4a58a4b | logoutActionBuilder: org.pac4j.oidc.logout.OidcLogoutActionBuilder@7b839d1e | authorizationGenerators: [info.magnolia.sso.oidc.GroupsAuthorizationGenerator@49e56b9b] | configuration: #OidcConfiguration# | clientId: my-client | secret: [protected] | discoveryURI: http://localhost:9090/.well-known/openid-configuration | scope: openid profile email | customParams: {} | clientAuthenticationMethod: null | useNonce: false | preferredJwsAlgorithm: RS256 | maxAge: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@5c987ab0 | responseType: code | responseMode: null | logoutUrl: null | withState: true | stateGenerator: org.pac4j.core.util.generator.RandomValueGenerator@431f79e4 | logoutHandler: #DefaultLogoutHandler# | store: #GuavaStore# | size: 10000 | timeout: 30 | timeUnit: MINUTES | | destroySession: false | | tokenValidator: org.pac4j.oidc.profile.creator.TokenValidator@3d0a61f1 | mappedClaims: {} | allowUnsignedIdTokens: false | SSLFactory: null | |
[DEBUG] org.pac4j.core.engine.DefaultCallbackLogic : foundClient: #OidcClient# | name: OidcClient | callbackUrl: http://localhost:8080/.auth | callbackUrlResolver: org.pac4j.core.http.callback.NoParameterCallbackUrlResolver@4b68fcea | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@3f9f0acb | redirectionActionBuilder: org.pac4j.oidc.redirect.OidcRedirectionActionBuilder@126da69f | credentialsExtractor: org.pac4j.oidc.credentials.extractor.OidcExtractor@479c141a | authenticator: org.pac4j.oidc.credentials.authenticator.OidcAuthenticator@43ab19a7 | profileCreator: org.pac4j.oidc.profile.creator.OidcProfileCreator@4a58a4b | logoutActionBuilder: org.pac4j.oidc.logout.OidcLogoutActionBuilder@7b839d1e | authorizationGenerators: [info.magnolia.sso.oidc.GroupsAuthorizationGenerator@49e56b9b] | configuration: #OidcConfiguration# | clientId: my-client | secret: [protected] | discoveryURI: http://localhost:9090/.well-known/openid-configuration | scope: openid profile email | customParams: {} | clientAuthenticationMethod: null | useNonce: false | preferredJwsAlgorithm: RS256 | maxAge: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@5c987ab0 | responseType: code | responseMode: null | logoutUrl: null | withState: true | stateGenerator: org.pac4j.core.util.generator.RandomValueGenerator@431f79e4 | logoutHandler: #DefaultLogoutHandler# | store: #GuavaStore# | size: 10000 | timeout: 30 | timeUnit: MINUTES | | destroySession: false | | tokenValidator: org.pac4j.oidc.profile.creator.TokenValidator@3d0a61f1 | mappedClaims: {} | allowUnsignedIdTokens: false | SSLFactory: null | |
[DEBUG] org.pac4j.oidc.credentials.extractor.OidcExtractor: Authentication response successful
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@7a6b79a5
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : Get value: 303fa1a5ec for key: OidcClient$stateSessionParameter
[DEBUG] org.pac4j.oidc.credentials.extractor.OidcExtractor: Request state: 303fa1a5ec/response state: 303fa1a5ec
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@7a6b79a5
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : Get value: com.nimbusds.oauth2.sdk.pkce.CodeVerifier@d868d683 for key: OidcClient$codeVerifierSessionParameter
[DEBUG] j.oidc.credentials.authenticator.OidcAuthenticator: Token response: status=200, content={"access_token":"f4urbf-6txACnfGc31c0WnN5s1u0HNGPRipiDzKXvG0","expires_in":3600,"id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleXN0b3JlLUNIQU5HRS1NRSJ9.eyJzdWIiOiJtaWthIiwiYXRfaGFzaCI6ImxGQ0ZMbFE3MXkxVWkyVEJrWXRzbnciLCJhdWQiOiJteS1jbGllbnQiLCJleHAiOjE2Njc1NzY3NjMsImlhdCI6MTY2NzU3MzE2MywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo5MDkwIn0.kjX9xjHUO56CJEEoXPc2XdMIDcR8kIx6XyPqFY6Pe6ad3BBliuP6dJe7seFt4aN6muDKi0dfFpQmpT_sl5VnfVbYivFjF3DXdxVvOwfBmBiJUq_h9OlvaeEnPljCjIdcvQAbgEk4mzXGMSamNKEbxG8kCy1aLi49AI4I006ncS0JlbD1sqJdmVIQ0dBF03k1RWtDpXp8wGAiZZtaIY4usUUZYNT3JcNgzWFQhqMrmxde95GZqVYUpMHP2qo4dx0Hvib0kd64ZwuvSLuMlen7ygpdH4cDvmNS3yUsBFjc6UM8xzr2Sjq5tVZDra9RC1Nv8pM_eSETNTd-q9lk6bNOqQ","scope":"openid profile email","token_type":"Bearer"}
[DEBUG] j.oidc.credentials.authenticator.OidcAuthenticator: Token response successful
[DEBUG] org.pac4j.oidc.client.OidcClient : Credentials validation took: 13 ms
[DEBUG] org.pac4j.oidc.client.OidcClient : clean authentication attempt from session
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : createSession: false, retrieved session: org.apache.catalina.session.StandardSessionFacade@7a6b79a5
[DEBUG] org.pac4j.jee.context.session.JEESessionStore : Remove value for key: OidcClient$attemptedAuthentication
[DEBUG] org.pac4j.core.engine.DefaultCallbackLogic : credentials: Optional[#OidcCredentials# | code: 8fyXB8oY_gTflXh1i3iJ4WnSt5cwmwLlnWPbX5AKCst | accessToken: f4urbf-6txACnfGc31c0WnN5s1u0HNGPRipiDzKXvG0 | refreshToken: null | idToken: com.nimbusds.jwt.SignedJWT@9df610 |]
[DEBUG] org.pac4j.oidc.client.OidcClient : credentials : #OidcCredentials# | code: 8fyXB8oY_gTflXh1i3iJ4WnSt5cwmwLlnWPbX5AKCst | accessToken: f4urbf-6txACnfGc31c0WnN5s1u0HNGPRipiDzKXvG0 | refreshToken: null | idToken: com.nimbusds.jwt.SignedJWT@9df610 |
[DEBUG] org.pac4j.oidc.profile.OidcProfile : adding => key: access_token / value: f4urbf-6txACnfGc31c0WnN5s1u0HNGPRipiDzKXvG0 / class com.nimbusds.oauth2.sdk.token.BearerAccessToken
[DEBUG] org.pac4j.oidc.profile.OidcProfile : adding => key: expiration / value: 1667576763662 / class java.lang.Long
[DEBUG] org.pac4j.oidc.profile.OidcProfile : adding => key: id_token / value: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImtleXN0b3JlLUNIQU5HRS1NRSJ9.eyJzdWIiOiJtaWthIiwiYXRfaGFzaCI6ImxGQ0ZMbFE3MXkxVWkyVEJrWXRzbnciLCJhdWQiOiJteS1jbGllbnQiLCJleHAiOjE2Njc1NzY3NjMsImlhdCI6MTY2NzU3MzE2MywiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo5MDkwIn0.kjX9xjHUO56CJEEoXPc2XdMIDcR8kIx6XyPqFY6Pe6ad3BBliuP6dJe7seFt4aN6muDKi0dfFpQmpT_sl5VnfVbYivFjF3DXdxVvOwfBmBiJUq_h9OlvaeEnPljCjIdcvQAbgEk4mzXGMSamNKEbxG8kCy1aLi49AI4I006ncS0JlbD1sqJdmVIQ0dBF03k1RWtDpXp8wGAiZZtaIY4usUUZYNT3JcNgzWFQhqMrmxde95GZqVYUpMHP2qo4dx0Hvib0kd64ZwuvSLuMlen7ygpdH4cDvmNS3yUsBFjc6UM8xzr2Sjq5tVZDra9RC1Nv8pM_eSETNTd-q9lk6bNOqQ / class java.lang.String
[DEBUG] org.pac4j.oidc.profile.creator.OidcProfileCreator : User info response: status=200, content={"sub":"test","name":"test","preferred_username":"test","groups":["local-development"],"email":"test@example.ch"}