Scrubbing of sensitive information in TokenRequestValidationLog is case-sensitive. This can cause an issue with the ResourceOwner flow when a user provides invalid credentials and the client posting the credentials does not match a fieldname exactly. So if the fieldname is "Password" instead of "password", the password is not scrubbed and is leaked to the log.
Scrubbing of sensitive information in TokenRequestValidationLog is case-sensitive. This can cause an issue with the ResourceOwner flow when a user provides invalid credentials and the client posting the credentials does not match a fieldname exactly. So if the fieldname is "Password" instead of "password", the password is not scrubbed and is leaked to the log.