This repository has been archived by the owner on Sep 18, 2021. It is now read-only.
TokenRequestValidationLog leaking passwords #3887
Labels
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Scrubbing of sensitive information in TokenRequestValidationLog is case-sensitive. This can cause an issue with the ResourceOwner flow when a user provides invalid credentials and the client posting the credentials does not match a fieldname exactly. So if the fieldname is "Password" instead of "password", the password is not scrubbed and is leaked to the log.
The text was updated successfully, but these errors were encountered: