You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Kirk True (Jira)" <ji...@apache.org> on 2023/01/13 22:12:00 UTC

[jira] [Commented] (KAFKA-14623) OAuth's HttpAccessTokenRetriever potentially leaks secrets in logging

    [ https://issues.apache.org/jira/browse/KAFKA-14623?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17676778#comment-17676778 ] 

Kirk True commented on KAFKA-14623:
-----------------------------------

cc [~smjn] [~omkreddy] 

> OAuth's HttpAccessTokenRetriever potentially leaks secrets in logging  
> -----------------------------------------------------------------------
>
>                 Key: KAFKA-14623
>                 URL: https://issues.apache.org/jira/browse/KAFKA-14623
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients, security
>    Affects Versions: 3.3.1
>            Reporter: Kirk True
>            Assignee: Kirk True
>            Priority: Major
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> The OAuth code that communicates via HTTP with the IdP (HttpAccessTokenRetriever.java) includes logging that outputs the request and response payloads. Among them are:
>  * [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java#L265]
>  * [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java#L274]
>  * [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java#L320]
> It should be determined if there are other places sensitive information might be inadvertently exposed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)