Filter subject token from TokenRequest log

DuendeSoftware / IdentityServer

The most flexible and standards-compliant OpenID Connect and OAuth 2.x framework for ASP.NET Core

https://duendesoftware.com/products/identityserver

Other

1.45k stars 337 forks source link

Filter subject token from TokenRequest log #1521

Closed krosn closed 7 months ago

krosn commented 7 months ago

Treat the Subject Token as sensitive because it could be an access token or an identity token that contains PII.

See https://github.com/DuendeSoftware/IdentityServer/issues/1522

brockallen commented 7 months ago

Thanks @krosn. I'd want to consider if anyone cared/wanted it in the logs... of course, we can document this change. But we'd need to at least do it in a point release. So prolly in our 7.1.0 release.

krosn commented 7 months ago

Sure, sounds good. There's no rush on my end.