[KAFKA-14623] OAuth's HttpAccessTokenRetriever potentially leaks secrets in logging - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.3.0, 3.3.1, 3.3.2
Fix Version/s: 3.4.0, 3.3.3
Component/s: clients, security
Labels:
- OAuth

Description

The OAuth code that communicates via HTTP with the IdP (HttpAccessTokenRetriever.java) includes logging that outputs the request and response payloads. Among them are:

https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java#L265
https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java#L274
https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/security/oauthbearer/internals/secured/HttpAccessTokenRetriever.java#L320

It should be determined if there are other places sensitive information might be inadvertently exposed.

Attachments

Issue Links

links to

GitHub Pull Request #13119

GitHub Pull Request #13166

Activity

People

Assignee:: Kirk True

Reporter:: Kirk True

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 13/Jan/23 21:31

Updated:: 29/Jun/23 21:07

Resolved:: 17/Feb/23 19:32

Time Tracking

Estimated:

24h

Remaining:

24h

Logged:

Not Specified