You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@jclouds.apache.org by "roded (Jira)" <ji...@apache.org> on 2021/02/01 16:19:00 UTC
[jira] [Updated] (JCLOUDS-1562)
AuthorizationApi.authorizeClientSecret errors can expose sensitive
credentials via exceptions
[ https://issues.apache.org/jira/browse/JCLOUDS-1562?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
roded updated JCLOUDS-1562:
---------------------------
Description:
When an exception occurs during the AuthorizationApi.authorizeClientSecret call, the resulting exception contains both the client ID and the client secret. These should be considered to contain sensitive information which should not be printable to the log.
The exception looks something like this:
{code:java}
Caused by: org.jclouds.http.HttpResponseException: request: POST https://login.microsoftonline.com/<tenent-id>/oauth2/token HTTP/1.1 [grant_type=client_credentials&client_id=<client-id>1&client_secret=<client-secret>&resource=<resource-url>] failed with response: HTTP/1.1 401 Unauthorized
at org.jclouds.azureoauth2.storage.handlers.ParseAzureStorageErrorFromXmlContent.handleError(ParseAzureStorageErrorFromXmlContent.java:59)
... 42 more
{code}
I'm currently running this using a fork of JClouds which includes a local azureoauth2 module. However, I believe the same will result for any users of the apis.oauth module.
was:
When an exception occurs during the AuthorizationApi.authorizeClientSecret call, the resulting exception contains both the client ID and the client secret. These should be considered to contain sensitive information which should not be printable to the log.
The exception looks something like this:
I'm currently running this using a fork of JClouds which includes a local azureoauth2 module. However, I believe the same will result for any users of the apis.oauth module.
> AuthorizationApi.authorizeClientSecret errors can expose sensitive credentials via exceptions
> ---------------------------------------------------------------------------------------------
>
> Key: JCLOUDS-1562
> URL: https://issues.apache.org/jira/browse/JCLOUDS-1562
> Project: jclouds
> Issue Type: Bug
> Affects Versions: 2.2.0
> Reporter: roded
> Priority: Major
>
> When an exception occurs during the AuthorizationApi.authorizeClientSecret call, the resulting exception contains both the client ID and the client secret. These should be considered to contain sensitive information which should not be printable to the log.
> The exception looks something like this:
> {code:java}
> Caused by: org.jclouds.http.HttpResponseException: request: POST https://login.microsoftonline.com/<tenent-id>/oauth2/token HTTP/1.1 [grant_type=client_credentials&client_id=<client-id>1&client_secret=<client-secret>&resource=<resource-url>] failed with response: HTTP/1.1 401 Unauthorized
> at org.jclouds.azureoauth2.storage.handlers.ParseAzureStorageErrorFromXmlContent.handleError(ParseAzureStorageErrorFromXmlContent.java:59)
> ... 42 more
> {code}
> I'm currently running this using a fork of JClouds which includes a local azureoauth2 module. However, I believe the same will result for any users of the apis.oauth module.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)