From c4c64d51bccff3d92333d9233f5f92b886c9b9b4 Mon Sep 17 00:00:00 2001
From: Patrick Jones <ithuriel@google.com>
Date: Mon, 14 Jun 2021 10:55:04 -0700
Subject: [PATCH] downscope: add some context to returned error

---
 google/downscope/downscoping.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/google/downscope/downscoping.go b/google/downscope/downscoping.go
index 194286c..660e545 100644
--- a/google/downscope/downscoping.go
+++ b/google/downscope/downscoping.go
@@ -14,6 +14,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"time"
@@ -129,15 +130,19 @@ func downscopedTokenWithEndpoint(ctx context.Context, config DownscopingConfig,
 		return nil, fmt.Errorf("unable to generate POST Request %v", err)
 	}
 	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		b, err := ioutil.ReadAll(resp.Body)
+		if err != nil {
+			return nil, fmt.Errorf("downscope: unable to exchange token; %v.  Failed to read response body: %v", resp.StatusCode, err)
+		}
+		return nil, fmt.Errorf("downscope: unable to exchange token; %v.  Server responsed: %v", resp.StatusCode, string(b))
+	}
 
 	var tresp downscopedTokenResponse
 	err = json.NewDecoder(resp.Body).Decode(&tresp)
 	if err != nil {
 		return nil, fmt.Errorf("downscope: unable to unmarshal response body: %v", err)
 	}
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("downscope: unable to exchange token; %v", resp.StatusCode)
-	}
 
 	// an exchanged token that is derived from a service account (2LO) has an expired_in value
 	// a token derived from a users token (3LO) does not.