레포 업데이트

2026-04-01 20:32:09 +09:00
parent 8bab8d44cc
commit 4b0fbdde98
31 changed files with 1636 additions and 43 deletions
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -1770,6 +1770,21 @@ func containsHeadlessAudience(expected []string, actual headlessAssertionAud) bo
 	return false
 }

+func joinHeadlessAudiences(values []string) string {
+	if len(values) == 0 {
+		return ""
+	}
+	trimmed := make([]string, 0, len(values))
+	for _, value := range values {
+		value = strings.TrimSpace(value)
+		if value == "" {
+			continue
+		}
+		trimmed = append(trimmed, value)
+	}
+	return strings.Join(trimmed, ", ")
+}
+
 func headlessRequestID(c *fiber.Ctx) string {
 	if c == nil {
 		return ""
@@ -1894,14 +1909,18 @@ func (h *AuthHandler) loadHeadlessJWKS(ctx context.Context, client domain.HydraC

 func validateHeadlessClientAssertionClaims(c *fiber.Ctx, claims headlessClientAssertionClaims, clientID string) *headlessLoginFailure {
 	now := time.Now().Unix()
+	expectedAudiences := headlessAssertionAudiences(c)
+	receivedAudiences := []string(claims.Audience)
 	debugFields := map[string]any{
-		"claim_issuer":       claims.Issuer,
-		"claim_subject":      claims.Subject,
-		"claim_expires_at":   claims.ExpiresAt,
-		"claim_not_before":   claims.NotBefore,
-		"claim_issued_at":    claims.IssuedAt,
-		"received_audiences": []string(claims.Audience),
-		"expected_audiences": headlessAssertionAudiences(c),
+		"claim_issuer":            claims.Issuer,
+		"claim_subject":           claims.Subject,
+		"claim_expires_at":        claims.ExpiresAt,
+		"claim_not_before":        claims.NotBefore,
+		"claim_issued_at":         claims.IssuedAt,
+		"received_audiences":      receivedAudiences,
+		"expected_audiences":      expectedAudiences,
+		"received_audiences_text": joinHeadlessAudiences(receivedAudiences),
+		"expected_audiences_text": joinHeadlessAudiences(expectedAudiences),
 	}
 	if claims.Issuer != clientID || claims.Subject != clientID {
 		return newHeadlessLoginFailure(
@@ -1939,7 +1958,7 @@ func validateHeadlessClientAssertionClaims(c *fiber.Ctx, claims headlessClientAs
 			debugFields,
 		)
 	}
-	if !containsHeadlessAudience(headlessAssertionAudiences(c), claims.Audience) {
+	if !containsHeadlessAudience(expectedAudiences, claims.Audience) {
 		return newHeadlessLoginFailure(
 			fiber.StatusUnauthorized,
 			"invalid_client_assertion_audience",