smjn commented on code in PR #13119:
URL: https://github.com/apache/kafka/pull/13119#discussion_r1070212730
##########
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java:
##########
@@ -240,6 +240,9 @@ static String handleOutput(final HttpURLConnection con)
throws IOException {
int responseCode = con.getResponseCode();
log.debug("handleOutput - responseCode: {}", responseCode);
+ // NOTE: the contents of the response should not be logged so that we
don't leak any
+ // sensitive data.
+ // TODO: is it OK to log the error response body and/or its formatted
version?
Review Comment:
Hi I had referred the rfc which mentioned about the error response -
https://www.ietf.org/rfc/rfc6749.txt , section 5.2
P.S. has there been any instance of info leak? There are only 3 things to
leak - client_id, secret and scope. Of this only the secret is problematic. As
per the rfc the value of the attribute is not printed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
