From f9f98cb3a7511ade5bb3203d2b022e2747bc5434 Mon Sep 17 00:00:00 2001
From: Josh Bielick <jbielick@users.noreply.github.com>
Date: Mon, 6 Apr 2020 04:27:24 -0400
Subject: [PATCH] print full error message when non-api error (#474)

when type asserting fails here, err is reassigned with nil and the
default block of the switch prints out <nil> in the error message. This
makes debugging a configuration or access token issue difficult

The particular error this surfaces is:

Response: {
  "error": "unauthorized_client",
  "error_description": "Client is unauthorized to retrieve access tokens using this method, or client not authorized for any of the scopes requested."
}

Signed-off-by: Josh Bielick <jbielick@gmail.com>
---
 CHANGELOG.md        | 1 +
 providers/google.go | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c383f8d2..fd46f7c1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@
 
 ## Changes since v5.1.0
 
+- [#474](https://github.com/oauth2-proxy/oauth2-proxy/pull/474) Always log hasMember request error object (@jbielick)
 - [#468](https://github.com/oauth2-proxy/oauth2-proxy/pull/468) Implement graceful shutdown and propagate request context (@johejo)
 - [#464](https://github.com/oauth2-proxy/oauth2-proxy/pull/464) Migrate to oauth2-proxy/oauth2-proxy (@JoelSpeed)
   - Project renamed from `pusher/oauth2_proxy` to `oauth2-proxy`
diff --git a/providers/google.go b/providers/google.go
index ec16ded5..804ea345 100644
--- a/providers/google.go
+++ b/providers/google.go
@@ -198,11 +198,11 @@ func userInGroup(service *admin.Service, groups []string, email string) bool {
 		req := service.Members.HasMember(group, email)
 		r, err := req.Do()
 		if err != nil {
-			err, ok := err.(*googleapi.Error)
+			gerr, ok := err.(*googleapi.Error)
 			switch {
-			case ok && err.Code == 404:
+			case ok && gerr.Code == 404:
 				logger.Printf("error checking membership in group %s: group does not exist", group)
-			case ok && err.Code == 400:
+			case ok && gerr.Code == 400:
 				// It is possible for Members.HasMember to return false even if the email is a group member.
 				// One case that can cause this is if the user email is from a different domain than the group,
 				// e.g. "member@otherdomain.com" in the group "group@mydomain.com" will result in a 400 error