Skip to content

OpenID is writing sensitive client secret to log file #18673

Closed
Closed
OpenID is writing sensitive client secret to log file#18673
Assignees
simo5
Labels
kind/bugCategorizes issue or PR as related to a bug.priority/P1sig/security
@myniva

Description

@myniva
myniva
opened on Feb 20, 2018

If your OpenShift installation has an OpenID Connect identity provider (see https://docs.openshift.org/3.6/install_config/configuring_authentication.html#OpenID) configured, the sensitive client_secret is written to the logs:

Feb 20 09:54:41 master-node origin-master[18966]: I0220 09:54:41.313861   18966 handler.go:66] Authentication needed for &{{oidc ... {<client_id> <!!!CLIENT_SECRET!!!> [openid] map[] https://idp.com/auth https://idp.com/token  [sub] [preferred_username] [email] [name] <nil>}} ... }

Sensitive information like passwords, secrets, keys should never be written in plain text to the log files of an application for security reasons.

Version
  • openshift v3.6.1+008f2d5
  • kubernetes v1.6.1+5115d708d7
Steps To Reproduce
  1. Configure OpenID Connect
  2. Try to authenticate with the newly configured identity provider
Current Result

Configured client secret is written in plain text to the logs of OpenShift.

Expected Result

The client secret must be

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.priority/P1sig/security

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions