From a3b1e4d208f57ea82e82bcefbddfab09ead0b5d8 Mon Sep 17 00:00:00 2001
From: Raphael Michel <michel@rami.io>
Date: Tue, 5 Aug 2025 09:48:16 +0200
Subject: [PATCH] OIDC client: Add more logging

---
 src/pretix/base/customersso/oidc.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/src/pretix/base/customersso/oidc.py b/src/pretix/base/customersso/oidc.py
index 71e64e1d6c..3e20d0ffda 100644
--- a/src/pretix/base/customersso/oidc.py
+++ b/src/pretix/base/customersso/oidc.py
@@ -199,6 +199,7 @@ def oidc_validate_authorization(provider, code, redirect_uri, pkce_code_verifier
         params['client_id'] = provider.configuration['client_id']
         params['client_secret'] = provider.configuration['client_secret']
 
+    resp = None
     try:
         resp = requests.post(
             endpoint,
@@ -214,7 +215,10 @@ def oidc_validate_authorization(provider, code, redirect_uri, pkce_code_verifier
         resp.raise_for_status()
         data = resp.json()
     except RequestException:
-        logger.exception('Could not retrieve authorization token')
+        if resp:
+            logger.exception(f'Could not retrieve authorization token. Response: {resp.text}')
+        else:
+            logger.exception('Could not retrieve authorization token')
         raise ValidationError(
             _('Login was not successful. Error message: "{error}".').format(
                 error='could not reach login provider',
@@ -222,6 +226,7 @@ def oidc_validate_authorization(provider, code, redirect_uri, pkce_code_verifier
         )
 
     if 'access_token' not in data:
+        logger.error(f'Could not find access token. Response: {data}')
         raise ValidationError(
             _('Login was not successful. Error message: "{error}".').format(
                 error='access token missing',
@@ -229,6 +234,7 @@ def oidc_validate_authorization(provider, code, redirect_uri, pkce_code_verifier
         )
 
     endpoint = provider.configuration['provider_config']['userinfo_endpoint']
+    resp = None
     try:
         # https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
         resp = requests.get(
@@ -240,7 +246,10 @@ def oidc_validate_authorization(provider, code, redirect_uri, pkce_code_verifier
         resp.raise_for_status()
         userinfo = resp.json()
     except RequestException:
-        logger.exception('Could not retrieve user info')
+        if resp:
+            logger.exception(f'Could not retrieve user info. Response: {resp.text}')
+        else:
+            logger.exception('Could not retrieve user info')
         raise ValidationError(
             _('Login was not successful. Error message: "{error}".').format(
                 error='could not fetch user info',