kirktrue commented on code in PR #13119:
URL: https://github.com/apache/kafka/pull/13119#discussion_r1081589480
##########
clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java:
##########
@@ -240,6 +240,9 @@ static String handleOutput(final HttpURLConnection con)
throws IOException {
int responseCode = con.getResponseCode();
log.debug("handleOutput - responseCode: {}", responseCode);
+ // NOTE: the contents of the response should not be logged so that we
don't leak any
+ // sensitive data.
+ // TODO: is it OK to log the error response body and/or its formatted
version?
Review Comment:
@smjn: Thanks for referencing the RFC and section. I updated the comments to
include the link. Thanks!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
