[
https://issues.apache.org/jira/browse/JCLOUDS-1562?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
roded updated JCLOUDS-1562:
---------------------------
Description:
When an exception occurs during the AuthorizationApi.authorizeClientSecret
call, the resulting exception contains both the client ID and the client
secret. These should be considered to contain sensitive information which
should not be printable to the log.
The exception looks something like this:
{code:java}
Caused by: org.jclouds.http.HttpResponseException: request: POST
https://login.microsoftonline.com/<tenent-id>/oauth2/token HTTP/1.1
[grant_type=client_credentials&client_id=<client-id>1&client_secret=<client-secret>&resource=<resource-url>]
failed with response: HTTP/1.1 401 Unauthorized
at
org.jclouds.azureoauth2.storage.handlers.ParseAzureStorageErrorFromXmlContent.handleError(ParseAzureStorageErrorFromXmlContent.java:59)
... 42 more
{code}
I'm currently running this using a fork of JClouds which includes a local
azureoauth2 module. However, I believe the same will result for any users of
the apis.oauth module.
was:
When an exception occurs during the AuthorizationApi.authorizeClientSecret
call, the resulting exception contains both the client ID and the client
secret. These should be considered to contain sensitive information which
should not be printable to the log.
The exception looks something like this:
I'm currently running this using a fork of JClouds which includes a local
azureoauth2 module. However, I believe the same will result for any users of
the apis.oauth module.
> AuthorizationApi.authorizeClientSecret errors can expose sensitive
> credentials via exceptions
> ---------------------------------------------------------------------------------------------
>
> Key: JCLOUDS-1562
> URL: https://issues.apache.org/jira/browse/JCLOUDS-1562
> Project: jclouds
> Issue Type: Bug
> Affects Versions: 2.2.0
> Reporter: roded
> Priority: Major
>
> When an exception occurs during the AuthorizationApi.authorizeClientSecret
> call, the resulting exception contains both the client ID and the client
> secret. These should be considered to contain sensitive information which
> should not be printable to the log.
> The exception looks something like this:
> {code:java}
> Caused by: org.jclouds.http.HttpResponseException: request: POST
> https://login.microsoftonline.com/<tenent-id>/oauth2/token HTTP/1.1
> [grant_type=client_credentials&client_id=<client-id>1&client_secret=<client-secret>&resource=<resource-url>]
> failed with response: HTTP/1.1 401 Unauthorized
> at
> org.jclouds.azureoauth2.storage.handlers.ParseAzureStorageErrorFromXmlContent.handleError(ParseAzureStorageErrorFromXmlContent.java:59)
> ... 42 more
> {code}
> I'm currently running this using a fork of JClouds which includes a local
> azureoauth2 module. However, I believe the same will result for any users of
> the apis.oauth module.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
