Merge branch 'saml-oauth-debug-logs' into 'develop'

Add debug logs to SAML and Oauth

See merge request baserow/baserow!3779

Author: silvestrid

changelog/entries/unreleased/refactor/add_debug_logs_to_saml_and_oauth2_views_to_get_more_informat.json

@@ -0,0 +1,8 @@
+{
+  "type": "refactor",
+  "message": "Add debug logging to SAML/OAuth2 views to get more information on issues.",
+  "domain": "core",
+  "issue_number": null,
+  "bullet_points": [],
+  "created_at": "2025-10-07"
+}

docs/development/sso-saml.md

@@ -0,0 +1,15 @@
+# Setting up SAML SSO for development
+
+* Create a new SAML authentication provider by going to 
+  http://localhost:3000/admin/auth-providers and clicking on "Add provider" and then on
+  "SSO SAML provider".
+* Set SAML Domain to `example.com`.
+* Go to https://mocksaml.com/ and click on "Download Metadata". Put the contents of the
+  file in the Metadata input.
+* Open the SAML Response Attributes and set the following.
+  * Email: `email`
+  * First name: `firstName`
+  * Last name: `lastName`
+* Click on save, logout and try to log in using the newly created SAML provider. 
+* Observe that you're redirected to the https://mocksaml.com login page where you can
+  use any @example.com address to log in with.

enterprise/backend/src/baserow_enterprise/api/integrations/common/sso/saml/views.py

@@ -4,6 +4,7 @@
 
 from drf_spectacular.openapi import OpenApiParameter, OpenApiTypes
 from drf_spectacular.utils import extend_schema
+from loguru import logger
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.views import APIView
@@ -81,6 +82,8 @@ def post(
         application_urls = None
         error_raised = {"code": None}
 
+        logger.debug("SAML ACS response payload: {0}", request.data)
+
         def on_error(error_code):
             error_raised["code"] = error_code
 

enterprise/backend/src/baserow_enterprise/api/sso/oauth2/views.py

@@ -6,6 +6,7 @@
 
 from drf_spectacular.openapi import OpenApiParameter, OpenApiTypes
 from drf_spectacular.utils import extend_schema
+from loguru import logger
 from rest_framework.permissions import AllowAny
 from rest_framework.request import Request
 from rest_framework.views import APIView
@@ -147,10 +148,17 @@ def get(self, request: Request, provider_id: int) -> HttpResponseRedirect:
 
         provider = AuthProviderHandler.get_auth_provider_by_id(provider_id)
 
+        logger.debug(
+            "OAuth2 callback request GET query params: {0}", dict(request.query_params)
+        )
+        logger.debug("OAuth2 callback session data: {0}", request.session._session)
+
         code = request.query_params.get("code", None)
         user_info, original_url = provider.get_type().get_user_info(
             provider, code, request.session
         )
+        logger.debug("OAuth2 extracted user info: {0}", user_info)
+
         (
             user,
             _,

enterprise/backend/src/baserow_enterprise/sso/oauth2/auth_provider_types.py

@@ -215,6 +215,9 @@ def get_user_info(
         """
 
         _, json_response = self.get_oauth_token_and_response(instance, code, session)
+
+        logger.debug("OAuth2 response: {0} {1}", _, json_response)
+
         return self.get_user_info_from_oauth_json_response(json_response, session)
 
 
@@ -335,6 +338,8 @@ def get_user_info(
         token, json_response = self.get_oauth_token_and_response(
             instance, code, session
         )
+        logger.debug("OAuth2 response: {0} {1}", token, json_response)
+
         try:
             json_response["email"] = self.get_email(
                 {"Authorization": "token {}".format(token.get("access_token"))},
@@ -557,6 +562,8 @@ def get_user_info(
             instance, code, session
         )
 
+        logger.debug("OAuth2 response: {0} {1}", token, json_response)
+
         if instance.use_id_token:
             if "id_token" not in token:
                 raise AuthFlowError("Id token is missing")
@@ -627,6 +634,7 @@ def get_user_info_from_id_token(self, instance, id_token):
             audience=instance.client_id,
             issuer=self.get_issuer(instance),
         )
+        logger.debug("OIDC decoded id_token: {0}", decoded_token)
 
         email = decoded_token.get(instance.email_attr_key)
 

enterprise/backend/src/baserow_enterprise/sso/saml/handler.py

@@ -160,6 +160,9 @@ def get_user_info_from_authn_user_identity(
         first_name_key = saml_auth_provider.first_name_attr_key
         last_name_key = saml_auth_provider.last_name_attr_key
 
+        logger.debug("Expected email key: {0}", email_key)
+        logger.debug("SAML authn identity: {0}", authn_identity)
+
         saml_request_data = saml_request_data or {}
         email = authn_identity[email_key][0]
         if first_name_key in authn_identity:
@@ -175,6 +178,7 @@ def get_user_info_from_authn_user_identity(
         else:
             name = email
 
+        logger.debug("Extracted user info: {0} {1} {2}", email, name, saml_request_data)
         return UserInfo(email, name, **saml_request_data)
 
     @classmethod