kirktrue commented on code in PR #13119:
URL: https://github.com/apache/kafka/pull/13119#discussion_r1081575409
##########
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java:
##########
@@ -240,6 +240,9 @@ static String handleOutput(final HttpURLConnection con)
throws IOException {
int responseCode = con.getResponseCode();
log.debug("handleOutput - responseCode: {}", responseCode);
+ // NOTE: the contents of the response should not be logged so that we
don't leak any
+ // sensitive data.
+ // TODO: is it OK to log the error response body and/or its formatted
version?
Review Comment:
@smjn - No known instance that I'm aware of. A security review brought it to
my attention, so addressing preemptively. The main fix is to remove the logging
of the successful response, which would include outputting the access token to
the logs.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
