Log requested scopes when auth is denied

Stan Hurequested to merge
sh-log-auth-scopes into master

What does this MR do and why?

In production, we are seeing some log messages show that authentication in the meta.auth_fail_reason field was denied for the requested scopes even though the API request succeeded.

It's possible that auth was requested for one set of scopes, but succeeded for another. This commit adds meta.auth_fail_requested_scopes to better understand which scopes were not available.

References

Relates to #505746 (closed)

How to set up and validate locally

  1. Create a personal access token with read_repository access (or anything without :api and :read_api). 2 In your GDK, make a curl request with a token to the users endpoint:
curl -H "PRIVATE-TOKEN: fail" http://gdk.test:3000/api/v4/users
  1. Check gitlab/log/api_json for fields such as:
  "meta.auth_fail_reason": "insufficient_scope",
  "meta.auth_fail_token_id": "PersonalAccessToken/2",
  "meta.auth_fail_requested_scopes": "read_user api read_api",
Edited by Stan Hu

Merge request reports