Debugging authentication issues

If a user successfully authenticates through the Gafaelfawr /login route but then cannot access a service such as the Notebook or Portal Aspects, a good initial debugging step is to look at the contents of the user’s token. Have the user go to /auth/analyze, which will provide a JSON dump of their authentication information. This will include their secret token, so be aware that sharing the full contents of that page will allow someone else to impersonate that user. The important information is in the token.data portion of the JSON document. The key information to look at is the isMemberOf claim, which shows the groups of which Gafaelfawr thinks the user is a member, and the scope claim, which shows how those group memberships were translated into access scopes using the group_mappings configuration. This is usually the best tool for uncovering problems with group mapping.

For other issues, looking at the pod logs for the gafaelfawr pod in the gafaelfawr namespace is the best next step. (The actual pod name will have a random string appended to gafaelfawr. The pod of interest is the one that is not the Redis pod.) kubectl logs <pod> -n gafaelfawr --timestamp or the Argo CD pod logs screen will show you the messages from Gafaelfawr, including any errors. The logs from Gafaelfawr are in JSON format.