From 6d0ebf29587742a2ae7f634198620db49e4220c5 Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Tue, 10 Mar 2026 13:19:32 -0700
Subject: [PATCH] debug(encryptid): add OIDC token exchange debug logging

Temporary logging to diagnose invalid_grant errors on token exchange.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/encryptid/server.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/encryptid/server.ts b/src/encryptid/server.ts
index 4d709e7..f16ec78 100644
--- a/src/encryptid/server.ts
+++ b/src/encryptid/server.ts
@@ -5361,12 +5361,15 @@ app.post('/oidc/token', async (c) => {
   // Consume auth code (atomic — marks used)
   const authCode = await consumeOidcAuthCode(code);
   if (!authCode) {
+    console.log('OIDC token: auth code not found or already used');
     return c.json({ error: 'invalid_grant' }, 400);
   }
   if (authCode.clientId !== clientId) {
+    console.log(`OIDC token: clientId mismatch: code=${authCode.clientId} req=${clientId}`);
     return c.json({ error: 'invalid_grant' }, 400);
   }
   if (authCode.redirectUri !== redirectUri) {
+    console.log(`OIDC token: redirectUri mismatch: code=${authCode.redirectUri} req=${redirectUri}`);
     return c.json({ error: 'invalid_grant' }, 400);
   }