fix(oxauth): Plaintext passwords logged from TokenRestWebServiceImpl with DEBUG log level

GluuFederation / oxAuth

OAuth 2.0 server and client; OpenID Connect Provider (OP) & UMA Authorization Server (AS)

https://gluu.org/docs/ce

MIT License

421 stars 150 forks source link

fix(oxauth): Plaintext passwords logged from TokenRestWebServiceImpl with DEBUG log level #1910

Closed mmrraju closed 1 week ago

mmrraju commented 1 month ago

Describe the issue

Ticket-11878

User password prints on log. when grant_type is passowd.

https://github.com/GluuFederation/oxAuth/blob/a40a882660e2468f640c85d0a814dd00f8c63dbd/Server/src/main/java/org/gluu/oxauth/token/ws/rs/TokenRestWebServiceImpl.java#L127.

The "ExtraParams" will print out passwords for password_grant.

Screenshots

Screenshot from 2024-07-13 02-15-26

Desktop (please complete the following information):

OS: [e.g. Ubuntu20.04LTS]
Gluu version(4.5)

mmrraju commented 2 weeks ago

Hi, @yuriyz any update?

yuriyz commented 2 weeks ago

I didn't check it yet

yuriyz commented 1 week ago

Fixed in master (4.5.6-SNAPSHOT).