You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by GitBox <gi...@apache.org> on 2023/01/14 04:13:57 UTC

[GitHub] [kafka] smjn commented on a diff in pull request #13119: KAFKA-14623: OAuth's HttpAccessTokenRetriever potentially leaks secrets in logging

smjn commented on code in PR #13119:
URL: https://github.com/apache/kafka/pull/13119#discussion_r1070212730


##########
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java:
##########
@@ -240,6 +240,9 @@ static String handleOutput(final HttpURLConnection con) throws IOException {
         int responseCode = con.getResponseCode();
         log.debug("handleOutput - responseCode: {}", responseCode);
 
+        // NOTE: the contents of the response should not be logged so that we don't leak any
+        // sensitive data.
+        // TODO: is it OK to log the error response body and/or its formatted version?

Review Comment:
   Hi I had referred the rfc which mentioned about the error response - https://www.ietf.org/rfc/rfc6749.txt , section 5.2
   
   P.S. has there been any instance of info leak? There are only 3 things to leak - client_id, secret and scope. Of this only the secret is problematic. As per the rfc the value of the attribute is not printed.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscribe@kafka.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org