feat: add error reason to OAuth2TokenExchangeError event (#3971)

Author: alnr

oauth2/handler.go

@@ -1172,7 +1172,7 @@ func (h *Handler) oauth2TokenExchange(w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		h.logOrAudit(err, r)
 		h.r.OAuth2Provider().WriteAccessError(ctx, w, accessRequest, err)
-		events.Trace(ctx, events.TokenExchangeError)
+		events.Trace(ctx, events.TokenExchangeError, events.WithError(err))
 		return
 	}
 
@@ -1185,7 +1185,7 @@ func (h *Handler) oauth2TokenExchange(w http.ResponseWriter, r *http.Request) {
 			if err != nil {
 				h.logOrAudit(err, r)
 				h.r.OAuth2Provider().WriteAccessError(ctx, w, accessRequest, err)
-				events.Trace(ctx, events.TokenExchangeError, events.WithRequest(accessRequest))
+				events.Trace(ctx, events.TokenExchangeError, events.WithRequest(accessRequest), events.WithError(err))
 				return
 			}
 		}
@@ -1234,23 +1234,22 @@ func (h *Handler) oauth2TokenExchange(w http.ResponseWriter, r *http.Request) {
 	}
 
 	for _, hook := range h.r.AccessRequestHooks() {
-		if err = hook(ctx, accessRequest); err != nil {
+		if err := hook(ctx, accessRequest); err != nil {
 			h.logOrAudit(err, r)
 			h.r.OAuth2Provider().WriteAccessError(ctx, w, accessRequest, err)
-			events.Trace(ctx, events.TokenExchangeError, events.WithRequest(accessRequest))
+			events.Trace(ctx, events.TokenExchangeError, events.WithRequest(accessRequest), events.WithError(err))
 			return
 		}
 	}
 
 	var accessResponse fosite.AccessResponder
-	if err := h.r.Persister().Transaction(ctx, func(ctx context.Context, _ *pop.Connection) error {
-		var err error
+	if err := h.r.Persister().Transaction(ctx, func(ctx context.Context, _ *pop.Connection) (err error) {
 		accessResponse, err = h.r.OAuth2Provider().NewAccessResponse(ctx, accessRequest)
 		return err
 	}); err != nil {
 		h.logOrAudit(err, r)
 		h.r.OAuth2Provider().WriteAccessError(ctx, w, accessRequest, err)
-		events.Trace(ctx, events.TokenExchangeError, events.WithRequest(accessRequest))
+		events.Trace(ctx, events.TokenExchangeError, events.WithRequest(accessRequest), events.WithError(err))
 		return
 	}
 

x/events/events.go

@@ -5,11 +5,13 @@ package events
 
 import (
 	"context"
+	"errors"
 
 	otelattr "go.opentelemetry.io/otel/attribute"
 	"go.opentelemetry.io/otel/trace"
 
 	"github.com/ory/fosite"
+	"github.com/ory/herodot"
 	"github.com/ory/x/otelx/semconv"
 )
 
@@ -68,6 +70,7 @@ const (
 	attributeKeyOAuth2TokenFormat           = "OAuth2TokenFormat"           //nolint:gosec
 	attributeKeyOAuth2RefreshTokenSignature = "OAuth2RefreshTokenSignature" //nolint:gosec
 	attributeKeyOAuth2AccessTokenSignature  = "OAuth2AccessTokenSignature"  //nolint:gosec
+	attributeKeyErrorReason                 = "ErrorReason"
 )
 
 // WithTokenFormat emits the token format as part of the event.
@@ -129,6 +132,17 @@ func WithRequest(request fosite.Requester) trace.EventOption {
 	return trace.WithAttributes(attributes...)
 }
 
+// WithError sets the Reason attribute according to the error given.
+func WithError(err error) trace.EventOption {
+	if err == nil {
+		return trace.WithAttributes()
+	}
+	if rc := herodot.ReasonCarrier(nil); errors.As(err, &rc) && rc.Reason() != "" { // also works for fosite.RFC6749Error
+		return trace.WithAttributes(otelattr.String(attributeKeyErrorReason, rc.Reason()))
+	}
+	return trace.WithAttributes(otelattr.String(attributeKeyErrorReason, err.Error()))
+}
+
 // Trace emits an event with the given attributes.
 func Trace(ctx context.Context, event semconv.Event, opts ...trace.EventOption) {
 	allOpts := append([]trace.EventOption{trace.WithAttributes(semconv.AttributesFromContext(ctx)...)}, opts...)