From 366758a54d25dded4ea7151e5119cc2a15a458a1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Wed, 17 Aug 2022 21:38:46 +0200
Subject: [PATCH] misc: log when login is refused because of authn_classref
 mismatch (#68236)

---
 mellon/adapters.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/mellon/adapters.py b/mellon/adapters.py
index 9b83bb3..f4c089b 100644
--- a/mellon/adapters.py
+++ b/mellon/adapters.py
@@ -268,6 +268,11 @@ class DefaultAdapter:
         if required_classref:
             given_classref = saml_attributes['authn_context_class_ref']
             if given_classref is None or given_classref not in required_classref:
+                logger.info(
+                    'mellon: refused login because of authn_classref mismatch (%r vs %s)',
+                    given_classref,
+                    required_classref,
+                )
                 raise PermissionDenied
         return True