Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: obfuscate refresh_token parameter in oauth request by default #1966

Merged
merged 1 commit into from
Dec 9, 2024
Merged

feat: obfuscate refresh_token parameter in oauth request by default #1966

merged 1 commit into from
Dec 9, 2024

Conversation

maksymgendin
Copy link
Contributor

Description

For OAuth 2.0 Refresh Token Grant Type the refresh_token is a required parameter and should be obfuscated by default org.zalando.logbook.BodyFilter.

Motivation and Context

The OAuth 2.0 Refresh Token is a sensitive token and should not be logged in plain text, same as password and client_secret.

This was already discussed here but I'm not sure why this behavior was not added already at that time earlier.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.

@kasmarian kasmarian added the minor Minor changes label Nov 29, 2024
@maksymgendin maksymgendin force-pushed the feat/obfuscate-refresh_token-in-oauth-request branch from f4707c6 to 7f275fc Compare December 2, 2024 13:40
@maksymgendin maksymgendin force-pushed the feat/obfuscate-refresh_token-in-oauth-request branch from 7f275fc to dd8079d Compare December 2, 2024 13:54
@maksymgendin
Copy link
Contributor Author

Sorry, I had to force push for signing my commit.

@maksymgendin
Copy link
Contributor Author

@kasmarian Could you please approve again?

@kasmarian kasmarian merged commit 4ef191e into zalando:main Dec 9, 2024
4 checks passed
@kasmarian
Copy link
Member

Thank you for the PR, @maksymgendin !

@maksymgendin maksymgendin deleted the feat/obfuscate-refresh_token-in-oauth-request branch December 9, 2024 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kasmarian kasmarian kasmarian approved these changes

@msdousti msdousti msdousti approved these changes

@whiskeysierra whiskeysierra Awaiting requested review from whiskeysierra whiskeysierra is a code owner

@lukasniemeier-zalando lukasniemeier-zalando Awaiting requested review from lukasniemeier-zalando lukasniemeier-zalando is a code owner

Assignees
No one assigned
Labels
minor Minor changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maksymgendin @kasmarian @msdousti