[jira] [Commented] (JCLOUDS-1562) AuthorizationApi.authorizeClientSecret errors can expose sensitive credentials via exceptions

["roded (Jira)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/JCLOUDS-1562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17277057#comment-17277057 ] 

roded commented on JCLOUDS-1562:
--------------------------------

Should there be an annotation in `org.jclouds.rest.annotations` which marks an endpoint as containing sensitive information?

> AuthorizationApi.authorizeClientSecret errors can expose sensitive credentials via exceptions
> ---------------------------------------------------------------------------------------------
>
>                 Key: JCLOUDS-1562
>                 URL: https://issues.apache.org/jira/browse/JCLOUDS-1562
>             Project: jclouds
>          Issue Type: Bug
>    Affects Versions: 2.2.0
>            Reporter: roded
>            Priority: Major
>
> When an exception occurs during the AuthorizationApi.authorizeClientSecret call, the resulting exception contains both the client ID and the client secret. These should be considered to contain sensitive information which should not be printable to the log.
> The exception looks something like this:
> {code:java}
>  Caused by: org.jclouds.http.HttpResponseException: request: POST https://login.microsoftonline.com/<tenent-id>/oauth2/token HTTP/1.1  [grant_type=client_credentials&client_id=<client-id>1&client_secret=<client-secret>&resource=<resource-url>] failed with response: HTTP/1.1 401 Unauthorized
>  	at org.jclouds.azureoauth2.storage.handlers.ParseAzureStorageErrorFromXmlContent.handleError(ParseAzureStorageErrorFromXmlContent.java:59)
>  	... 42 more
> {code}
> I'm currently running this using a fork of JClouds which includes a local azureoauth2 module. However, I believe the same will result for any users of the apis.oauth module.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)