Sensitive data like access token is logged in logs.

Question

Sensitive data like access token is logged in logs.

ygag-basil opened this issue 9 months ago · comments

It will be good if the logging is configurable. ie we can enable or disable logging such details via a flag in settings.py

Basil Jose · Answer 1 · Tue Oct 24 2023 19:25:07 GMT+0800 (China Standard Time)

Issuing token {'access_token': 'awRlgppKr55NWczY*****ocEg90', 'expires_in': 1800, 'token_type': 'Bearer', 'scope': 'read write', 'refresh_token': 'WOW077m*0kQWOm7cuatOW7aDNR'} to client id '85m3Y6uP5dG72ZyYGocXYU2xnsJelDAETteK' (<Application: Apple>)

Invisi · Answer 2 · Wed Oct 25 2023 03:41:46 GMT+0800 (China Standard Time)

Those lines are only logged with the log level set to debug[0][1].
You should be able to disable them by configuring the level of oauthlib.oauth2 to something different.

[0] https://github.com/oauthlib/oauthlib/blob/eddb461c1043f8ad583fd67af34749e32fdc19cc/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py#L82
[1] https://github.com/oauthlib/oauthlib/blob/eddb461c1043f8ad583fd67af34749e32fdc19cc/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py#L110

Basil Jose · Answer 3 · Wed Oct 25 2023 12:29:59 GMT+0800 (China Standard Time)

@Invisi Thanks for your solution.