[
https://issues.apache.org/jira/browse/JCLOUDS-1562?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17277057#comment-17277057
]
roded commented on JCLOUDS-1562:
--------------------------------
Should there be an annotation in `org.jclouds.rest.annotations` which marks an
endpoint as containing sensitive information?
> AuthorizationApi.authorizeClientSecret errors can expose sensitive
> credentials via exceptions
> ---------------------------------------------------------------------------------------------
>
> Key: JCLOUDS-1562
> URL: https://issues.apache.org/jira/browse/JCLOUDS-1562
> Project: jclouds
> Issue Type: Bug
> Affects Versions: 2.2.0
> Reporter: roded
> Priority: Major
>
> When an exception occurs during the AuthorizationApi.authorizeClientSecret
> call, the resulting exception contains both the client ID and the client
> secret. These should be considered to contain sensitive information which
> should not be printable to the log.
> The exception looks something like this:
> {code:java}
> Caused by: org.jclouds.http.HttpResponseException: request: POST
> https://login.microsoftonline.com/<tenent-id>/oauth2/token HTTP/1.1
> [grant_type=client_credentials&client_id=<client-id>1&client_secret=<client-secret>&resource=<resource-url>]
> failed with response: HTTP/1.1 401 Unauthorized
> at
> org.jclouds.azureoauth2.storage.handlers.ParseAzureStorageErrorFromXmlContent.handleError(ParseAzureStorageErrorFromXmlContent.java:59)
> ... 42 more
> {code}
> I'm currently running this using a fork of JClouds which includes a local
> azureoauth2 module. However, I believe the same will result for any users of
> the apis.oauth module.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
