[jira] [Updated] (KAFKA-14623) OAuth's HttpAccessTokenRetriever potentially leaks secrets in logging

Kirk True (Jira) Thu, 29 Jun 2023 14:08:12 -0700


     [ 
https://issues.apache.org/jira/browse/KAFKA-14623?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Kirk True updated KAFKA-14623:
------------------------------
    Labels: OAuth  (was: )

> OAuth's HttpAccessTokenRetriever potentially leaks secrets in logging  
> -----------------------------------------------------------------------
>
>                 Key: KAFKA-14623
>                 URL: https://issues.apache.org/jira/browse/KAFKA-14623
>             Project: Kafka
>          Issue Type: Bug
>          Components: clients, security
>    Affects Versions: 3.3.0, 3.3.1, 3.3.2
>            Reporter: Kirk True
>            Assignee: Kirk True
>            Priority: Major
>              Labels: OAuth
>             Fix For: 3.4.0, 3.3.3
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> The OAuth code that communicates via HTTP with the IdP 
> (HttpAccessTokenRetriever.java) includes logging that outputs the request and 
> response payloads. Among them are:
>  * 
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java#L265]
>  * 
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java#L274]
>  * 
> [https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java#L320]
> It should be determined if there are other places sensitive information might 
> be inadvertently exposed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (KAFKA-14623) OAuth's HttpAccessTokenRetriever potentially leaks secrets in logging

Reply via email to