I personally don't like this change too much. oauth_key is something like username (and oauth_consumer is more like password) so I think we can log this. I find this useful for debugging. If we want to hide usernames we should think of filtering usernames coming from login forms (and probably other places). Anyone else concerned?

I ran this by Grant from RH's security team and he seemed to agree with Marek's response:

The consumer_key makes up part of the client credentials but it is not 
a secret component of them.
It is intended to be a unique identifier for the client that is 
transmitted when requesting a request_token
and access_token. The consumer_secret should never be exposed.  In this 
case I'm not sure it would matter
if you logged the consumer_key anyway as AFAICT only one consumer_key / 
consumer_secret
can be configured for the application.