Bug #21077: Don't display oauth/oidc client secret in logs - Rudder - Issue Tracker

Actions

Copy link

Bug #21077

closed

Don't display oauth/oidc client secret in logs

Added by François ARMAND about 3 years ago. Updated about 3 years ago.

Status:

Released

Priority:

N/A

Assignee:

Nicolas CHARLES

Category:

Security

Target version:

6.2.14

Pull Request:

https://github.com/Normation/rudder/p...

Severity:

UX impact:

User visibility:

Effort required:

Priority:

Name check:

To do

Fix check:

Checked

Regression:

Description

We need to hide OIDC/oauth client secret in app log.
We can't do it in plugin, because of init order, which is a bit sad, so we need to do it in rudder main.

Updated by François ARMAND about 3 years ago

Status changed from New to In progress
Assignee set to François ARMAND

Updated by François ARMAND about 3 years ago

Status changed from In progress to Pending technical review
Assignee changed from François ARMAND to Nicolas CHARLES
Pull Request set to https://github.com/Normation/rudder/pull/4261

Updated by François ARMAND about 3 years ago

Status changed from Pending technical review to Pending release

Updated by François ARMAND about 3 years ago

Fix check changed from To do to Checked

The property is totally absent from log, which is OK for the need, but a bit surprising compared to other protected info. Not sure why.

[2022-05-31 13:24:49+0000] INFO  application - registered property: rudder.auth.displayLoginForm="hide" 
[2022-05-31 13:24:49+0000] INFO  application - registered property: rudder.auth.oauth2.provider.okta.authMethod="basic" 
[2022-05-31 13:24:49+0000] INFO  application - registered property: rudder.auth.oauth2.provider.okta.client.id="0oa3snkopsIRIIHb35d7" 

<---- here, rudder.auth.oauth2.provider.okta.client.secret is not present, but not present with ******* like jdbc.password below ---->

[2022-05-31 13:24:49+0000] INFO  application - registered property: rudder.auth.oauth2.provider.okta.client.redirect="http://localhost:8082/rudder-web/login/oauth2/code/{registrationId}" 
...
[2022-05-31 13:24:49+0000] INFO  application - registered property: rudder.jdbc.maxPoolSize="25" 
[2022-05-31 13:24:49+0000] INFO  application - registered property: rudder.jdbc.password=**********
[2022-05-31 13:24:49+0000] INFO  application - registered property: rudder.jdbc.url="jdbc:postgresql://localhost:5432/rudder"

Updated by Vincent MEMBRÉ about 3 years ago

Status changed from Pending release to Released

Actions

Copy link

Also available in: Atom PDF

Project

General

Custom queries

Profile

Rudder

Bug #21077

Don't display oauth/oidc client secret in logs

Updated by François ARMAND about 3 years ago

Updated by François ARMAND about 3 years ago

Updated by François ARMAND about 3 years ago

Updated by François ARMAND about 3 years ago

Updated by Vincent MEMBRÉ about 3 years ago