From 82208c43a1a2e5d382db5ab35885b6b5042c9d54 Mon Sep 17 00:00:00 2001
From: catper <60221155+catper@users.noreply.github.com>
Date: Sun, 20 Sep 2020 08:48:07 +0200
Subject: [PATCH] fix: downgrade log level for access rejections (#2038)

Closes #2031
---
 oauth2/handler.go | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/oauth2/handler.go b/oauth2/handler.go
index 2cd45e9ea8c..098ea017f03 100644
--- a/oauth2/handler.go
+++ b/oauth2/handler.go
@@ -428,7 +428,7 @@ func (h *Handler) IntrospectHandler(w http.ResponseWriter, r *http.Request, _ ht
 
 	tt, ar, err := h.r.OAuth2Provider().IntrospectToken(ctx, token, fosite.TokenType(tokenType), session, strings.Split(scope, " ")...)
 	if err != nil {
-		x.LogError(r, err, h.r.Logger())
+		x.LogAudit(r, err, h.r.Logger())
 		err := errors.WithStack(fosite.ErrInactiveToken.WithHint("An introspection strategy indicated that the token is inactive.").WithDebug(err.Error()))
 		h.r.OAuth2Provider().WriteIntrospectionError(w, err)
 		return
@@ -552,8 +552,18 @@ func (h *Handler) TokenHandler(w http.ResponseWriter, r *http.Request) {
 	var ctx = r.Context()
 
 	accessRequest, err := h.r.OAuth2Provider().NewAccessRequest(ctx, r, session)
+
 	if err != nil {
-		x.LogError(r, err, h.r.Logger())
+		switch errors.Cause(err) {
+		case fosite.ErrServerError:
+			fallthrough
+		case fosite.ErrTemporarilyUnavailable:
+			fallthrough
+		case fosite.ErrMisconfiguration:
+			x.LogError(r, err, h.r.Logger())
+		default:
+			x.LogAudit(r, err, h.r.Logger())
+		}
 		h.r.OAuth2Provider().WriteAccessError(w, accessRequest, err)
 		return
 	}
@@ -589,8 +599,18 @@ func (h *Handler) TokenHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	accessResponse, err := h.r.OAuth2Provider().NewAccessResponse(ctx, accessRequest)
+
 	if err != nil {
-		x.LogError(r, err, h.r.Logger())
+		switch errors.Cause(err) {
+		case fosite.ErrServerError:
+			fallthrough
+		case fosite.ErrTemporarilyUnavailable:
+			fallthrough
+		case fosite.ErrMisconfiguration:
+			x.LogError(r, err, h.r.Logger())
+		default:
+			x.LogAudit(r, err, h.r.Logger())
+		}
 		h.r.OAuth2Provider().WriteAccessError(w, accessRequest, err)
 		return
 	}